ryuk | 831a54f66b7645119d642dab565d86f4316752f6f2f759f9cc10737a34032ebf

General

Target

svchost.exe

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails eliasmarco@tutanota.com or CamdenScott@protonmail.com BTC wallet: 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj Ryuk No system is safe

Emails

eliasmarco@tutanota.com

CamdenScott@protonmail.com

Wallets

15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

ZqqUZ.exe

pid process

2588 ZqqUZ.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\ResolveHide.tiff svchost.exe
Deletes itself 1 IoCs

Processes:

ZqqUZ.exe

pid process

2588 ZqqUZ.exe
Drops startup file 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ResolveHide.tiff	svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\ZqqUZ.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3976 set thread context of 1804 3976 svchost.exe svchost.exe

description	pid	process	target process
PID 3976 set thread context of 1804	3976	svchost.exe	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_18.svg	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\core_icons.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\LICENSE	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_backarrow_default.svg	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Microsoft.VCLibs.x86.14.00.appx	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\over-arrow-navigation.svg	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White.png	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\319A820A-549C-425F-BFCE-042E33B791C5\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\VEN2232.OLB	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main-selector.css	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-1x.png	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\core_icons_retina.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\RyukReadMe.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

7884 3836 WerFault.exe DllHost.exe

pid	pid_target	process	target process
7884	3836	WerFault.exe	DllHost.exe

Kills process with taskkill 44 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5012	taskkill.exe
5660	taskkill.exe
1016	taskkill.exe
3096	taskkill.exe
2688	taskkill.exe
4724	taskkill.exe
4528	taskkill.exe
4124	taskkill.exe
4172	taskkill.exe
4656	taskkill.exe
5152	taskkill.exe
5720	taskkill.exe
5784	taskkill.exe
4944	taskkill.exe
5068	taskkill.exe
5276	taskkill.exe
5848	taskkill.exe
1312	taskkill.exe
2108	taskkill.exe
4164	taskkill.exe
4460	taskkill.exe
4404	taskkill.exe
4952	taskkill.exe
900	taskkill.exe
4004	taskkill.exe
4216	taskkill.exe
4328	taskkill.exe
2760	taskkill.exe
5332	taskkill.exe
5512	taskkill.exe
748	taskkill.exe
652	taskkill.exe
428	taskkill.exe
3984	taskkill.exe
5444	taskkill.exe
4276	taskkill.exe
4588	taskkill.exe
4792	taskkill.exe
5216	taskkill.exe
5588	taskkill.exe
3856	taskkill.exe
4868	taskkill.exe
4512	taskkill.exe
5396	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

ZqqUZ.exeWerFault.exe

pid	process
2588	ZqqUZ.exe
2588	ZqqUZ.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe
7884	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ZqqUZ.exe

pid process

2588 ZqqUZ.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeZqqUZ.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	4328	taskkill.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	4404	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	4656	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	4124	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	4172	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	5152	taskkill.exe
Token: SeDebugPrivilege	5216	taskkill.exe
Token: SeDebugPrivilege	5276	taskkill.exe
Token: SeDebugPrivilege	5396	taskkill.exe
Token: SeDebugPrivilege	5332	taskkill.exe
Token: SeDebugPrivilege	5444	taskkill.exe
Token: SeDebugPrivilege	5512	taskkill.exe
Token: SeDebugPrivilege	5588	taskkill.exe
Token: SeDebugPrivilege	5660	taskkill.exe
Token: SeDebugPrivilege	5784	taskkill.exe
Token: SeDebugPrivilege	5720	taskkill.exe
Token: SeDebugPrivilege	5848	taskkill.exe
Token: SeDebugPrivilege	2588	ZqqUZ.exe
Token: SeDebugPrivilege	7884	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost.exesvchost.exeZqqUZ.exe

description	pid	process	target process
PID 3976 wrote to memory of 1804	3976	svchost.exe	svchost.exe
PID 3976 wrote to memory of 1804	3976	svchost.exe	svchost.exe
PID 3976 wrote to memory of 1804	3976	svchost.exe	svchost.exe
PID 3976 wrote to memory of 1804	3976	svchost.exe	svchost.exe
PID 3976 wrote to memory of 1804	3976	svchost.exe	svchost.exe
PID 3976 wrote to memory of 1804	3976	svchost.exe	svchost.exe
PID 3976 wrote to memory of 1804	3976	svchost.exe	svchost.exe
PID 3976 wrote to memory of 1804	3976	svchost.exe	svchost.exe
PID 3976 wrote to memory of 1804	3976	svchost.exe	svchost.exe
PID 3976 wrote to memory of 1804	3976	svchost.exe	svchost.exe
PID 3976 wrote to memory of 1804	3976	svchost.exe	svchost.exe
PID 1804 wrote to memory of 2588	1804	svchost.exe	ZqqUZ.exe
PID 1804 wrote to memory of 2588	1804	svchost.exe	ZqqUZ.exe
PID 2588 wrote to memory of 748	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 748	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 652	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 652	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 3856	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 3856	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 1016	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 1016	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 1312	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 1312	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 3096	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 3096	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 2108	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 2108	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 900	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 900	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 2688	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 2688	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4004	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4004	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 428	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 428	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 3984	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 3984	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4164	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4164	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4216	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4216	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4276	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4276	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4328	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4328	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4404	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4404	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4460	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4460	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4528	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4528	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4588	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4588	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4656	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4656	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4724	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4724	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4792	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4792	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4868	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4868	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4944	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 4944	2588	ZqqUZ.exe	taskkill.exe
PID 2588 wrote to memory of 5012	2588	ZqqUZ.exe	taskkill.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
PID:2436

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3836 -s 848
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3580

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3368

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3356

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2704

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\users\Public\ZqqUZ.exe
"C:\users\Public\ZqqUZ.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe
3⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3996

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3616

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3632

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3568

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4020

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM excel.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM steam.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5216

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5276

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5332

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM winword.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5396

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5444

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5512

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5588

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5720

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5784

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5848

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
4⤵
PID:5928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
5⤵
PID:5716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
6⤵
PID:7144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:6368

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
4⤵
PID:5992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
5⤵
PID:6116

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Agent" /y
4⤵
PID:6044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
5⤵
PID:6188

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
4⤵
PID:6108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
5⤵
PID:6400

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
4⤵
PID:5284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
5⤵
PID:6336

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
4⤵
PID:5624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
5⤵
PID:6480

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
4⤵
PID:5856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
5⤵
PID:6496

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
4⤵
PID:5844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
5⤵
PID:6572

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
4⤵
PID:6288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
5⤵
PID:6716

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
4⤵
PID:6460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
5⤵
PID:7092

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
4⤵
PID:6368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
5⤵
PID:6880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
4⤵
PID:6216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
5⤵
PID:6704

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
4⤵
PID:6532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
5⤵
PID:7116

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
4⤵
PID:6580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
5⤵
PID:7160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:7172

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
4⤵
PID:6628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
5⤵
PID:6932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
5⤵
PID:7952

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
4⤵
PID:6768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
5⤵
PID:6668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
4⤵
PID:6820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
5⤵
PID:6920

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
4⤵
PID:6684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
5⤵
PID:6196

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ARSM /y
4⤵
PID:7012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
5⤵
PID:6248

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
4⤵
PID:7144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
5⤵
PID:6700

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
4⤵
PID:7072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
5⤵
PID:6164

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Antivirus /y
4⤵
PID:6960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
5⤵
PID:6276

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
4⤵
PID:2696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
5⤵
PID:6716

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcrSch2Svc /y
4⤵
PID:6912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
5⤵
PID:6044

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcronisAgent /y
4⤵
PID:6864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
5⤵
PID:6412

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
4⤵
PID:6456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
5⤵
PID:6272

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecManagementService /y
4⤵
PID:6560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
5⤵
PID:7200

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop bedbg /y
4⤵
PID:6060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
5⤵
PID:7220

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
4⤵
PID:5812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
5⤵
PID:7272

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecRPCService /y
4⤵
PID:6328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
5⤵
PID:7212

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EraserSvc11710 /y
4⤵
PID:5492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
5⤵
PID:7532

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop FA_Scheduler /y
4⤵
PID:6216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
5⤵
PID:7692

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IISAdmin /y
4⤵
PID:6744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
5⤵
PID:7700

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EsgShKernel /y
4⤵
PID:6264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
5⤵
PID:7708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
5⤵
PID:7756

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPUpdateService /y
4⤵
PID:5404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
5⤵
PID:7600

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPSecurityService /y
4⤵
PID:6384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
5⤵
PID:7392

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop DCAgent /y
4⤵
PID:6124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
5⤵
PID:7408

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IMAP4Svc /y
4⤵
PID:6300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
5⤵
PID:7904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
6⤵
PID:7632

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop macmnsvc /y
4⤵
PID:7180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
5⤵
PID:7888

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBAMService /y
4⤵
PID:7304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
5⤵
PID:6908

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBEndpointAgent /y
4⤵
PID:7360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
5⤵
PID:8140

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeEngineService /y
4⤵
PID:7428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
5⤵
PID:8156

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFramework /y
4⤵
PID:7484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
5⤵
PID:6608

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McShield /y
4⤵
PID:7620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
5⤵
PID:6536

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McTaskManager /y
4⤵
PID:7656

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfevtp /y
4⤵
PID:7804

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfemms /y
4⤵
PID:7748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
5⤵
PID:6532

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MMS /y
4⤵
PID:7848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
5⤵
PID:6948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mozyprobackup /y
4⤵
PID:7912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
5⤵
PID:6660

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
4⤵
PID:7568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
5⤵
PID:6524

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop masvc /y
4⤵
PID:7252

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer /y
4⤵
PID:7980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
5⤵
PID:6920

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeIS /y
4⤵
PID:6880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
5⤵
PID:6700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
5⤵
PID:7788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6412

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
4⤵
PID:6828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
5⤵
PID:7372

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMTA /y
4⤵
PID:6476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
5⤵
PID:6404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7300

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSA /y
4⤵
PID:6940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
5⤵
PID:7076

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
4⤵
PID:6820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
5⤵
PID:7004

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
4⤵
PID:7340

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
4⤵
PID:7012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
4⤵
PID:6716

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
4⤵
PID:7036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
5⤵
PID:7704

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
4⤵
PID:6272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
5⤵
PID:2600

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPS /y
4⤵
PID:6172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
5⤵
PID:8160

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
4⤵
PID:7716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
5⤵
PID:7252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
6⤵
PID:7932

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:6088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
5⤵
PID:6680

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
4⤵
PID:7536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
5⤵
PID:7656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
6⤵
PID:8132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7860

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
4⤵
PID:7564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
5⤵
PID:7504

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
4⤵
PID:2696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
5⤵
PID:7684

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
4⤵
PID:7000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
4⤵
PID:5984

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
4⤵
PID:7900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
5⤵
PID:7360

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
4⤵
PID:6836

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
4⤵
PID:6064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
5⤵
PID:7652

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
4⤵
PID:7700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
5⤵
PID:7764

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
4⤵
PID:6320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
5⤵
PID:6492

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
4⤵
PID:7624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
5⤵
PID:7204

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
4⤵
PID:7664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
5⤵
PID:7172

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL80 /y
4⤵
PID:7472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
5⤵
PID:6588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7520

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ntrtscan /y
4⤵
PID:7676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
5⤵
PID:6028

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop OracleClientCache80 /y
4⤵
PID:7484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
5⤵
PID:7140

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop POP3Svc /y
4⤵
PID:7300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
5⤵
PID:6496

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer /y
4⤵
PID:6360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
5⤵
PID:5792

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
4⤵
PID:7876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
5⤵
PID:6932

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop PDVFSService /y
4⤵
PID:7620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
5⤵
PID:7552

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
4⤵
PID:6972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
5⤵
PID:7692

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPS /y
4⤵
PID:8016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
5⤵
PID:5224

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
4⤵
PID:6204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
5⤵
PID:7024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop RESvc /y
4⤵
PID:7460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
5⤵
PID:5992

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ShMonitor /y
4⤵
PID:6512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
5⤵
PID:7696

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SMTPSvc /y
4⤵
PID:7212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
5⤵
PID:7512

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SmcService /y
4⤵
PID:6388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
5⤵
PID:5844

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Smcinst /y
4⤵
PID:6552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
5⤵
PID:6472

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
4⤵
PID:7084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
5⤵
PID:6492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
6⤵
PID:7804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
7⤵
PID:7052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sophossps /y
4⤵
PID:6312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
5⤵
PID:6444

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
4⤵
PID:7388

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
4⤵
PID:7340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
5⤵
PID:7120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
5⤵
PID:6232

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
4⤵
PID:6544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
5⤵
PID:6624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
6⤵
PID:6944

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
4⤵
PID:6600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
5⤵
PID:7668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
4⤵
PID:6920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
5⤵
PID:7204

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
4⤵
PID:7792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
5⤵
PID:7664

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
4⤵
PID:7316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
5⤵
PID:7424

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:7096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
5⤵
PID:6480

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
4⤵
PID:6088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
5⤵
PID:6732

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
4⤵
PID:7348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
5⤵
PID:6788

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
4⤵
PID:7612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
5⤵
PID:7816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
4⤵
PID:6656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
5⤵
PID:7544

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SntpService /y
4⤵
PID:7356

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SNAC /y
4⤵
PID:7256

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SepMasterService /y
4⤵
PID:6244

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SDRSVC /y
4⤵
PID:7100

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVService /y
4⤵
PID:6564

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVAdminService /y
4⤵
PID:6880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SamSs /y
4⤵
PID:7608

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sacsvr /y
4⤵
PID:5716

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
4⤵
PID:7772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
5⤵
PID:7676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6684

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
4⤵
PID:7948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
5⤵
PID:8040

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
4⤵
PID:7436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
5⤵
PID:6976

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLWriter /y
4⤵
PID:6928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
5⤵
PID:6148

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SstpSvc /y
4⤵
PID:6192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
5⤵
PID:7540

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
4⤵
PID:7748

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_filter /y
4⤵
PID:8076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
5⤵
PID:6372

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_service /y
4⤵
PID:7520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
5⤵
PID:6988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:6580

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update_64 /y
4⤵
PID:7780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
5⤵
PID:7260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
5⤵
PID:7516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6532

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop svcGenericHost /y
4⤵
PID:6792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
5⤵
PID:6224

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TmCCSF /y
4⤵
PID:5996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
5⤵
PID:5932

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKey /y
4⤵
PID:7576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
5⤵
PID:6552

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop tmlisten /y
4⤵
PID:7460

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop UI0Detect /y
4⤵
PID:7960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
5⤵
PID:7512

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
4⤵
PID:7684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
5⤵
PID:7184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:6184

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
4⤵
PID:7012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
5⤵
PID:6972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
5⤵
PID:6332

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
4⤵
PID:7208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
5⤵
PID:7604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7696

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
4⤵
PID:5328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
5⤵
PID:7712

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
4⤵
PID:6336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
5⤵
PID:6836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
6⤵
PID:6652

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
4⤵
PID:8188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
5⤵
PID:6008

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop W3Svc /y
4⤵
PID:8144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
5⤵
PID:7828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:7132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
5⤵
PID:7916

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
4⤵
PID:7860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
5⤵
PID:7596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQL Backups" /y
4⤵
PID:7612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
6⤵
PID:6356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
5⤵
PID:7756

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
4⤵
PID:7376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
5⤵
PID:8004

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROD /y
4⤵
PID:7652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
5⤵
PID:7736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:8140

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
4⤵
PID:6920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
5⤵
PID:6736

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
4⤵
PID:6516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
5⤵
PID:7540

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
4⤵
PID:6360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
5⤵
PID:7080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ekrn /y
4⤵
PID:7364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
5⤵
PID:6496

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
4⤵
PID:7748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
5⤵
PID:7768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
5⤵
PID:6204

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ESHASRV /y
4⤵
PID:6476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
5⤵
PID:7460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
6⤵
PID:6940

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
4⤵
PID:6420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
5⤵
PID:6824

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AVP /y
4⤵
PID:6236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
5⤵
PID:7292

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop klnagent /y
4⤵
PID:6648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
5⤵
PID:6292

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EhttpSrv /y
4⤵
PID:6044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
5⤵
PID:5896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop NetMsmqActivator /y
4⤵
PID:6756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
5⤵
PID:6268

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop msftesql$PROD /y
4⤵
PID:6272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
5⤵
PID:5760

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop kavfsslp /y
4⤵
PID:6224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
5⤵
PID:5780

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFSGT /y
4⤵
PID:7420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
5⤵
PID:7124

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfefire /y
4⤵
PID:6552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
5⤵
PID:7056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFS /y
4⤵
PID:7160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
5⤵
PID:6380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\ZqqUZ.exe" /f
4⤵
PID:7908

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\ZqqUZ.exe" /f
5⤵
- Adds Run key to start application
PID:6720

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
4⤵
PID:7780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:7024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
4⤵
PID:7572

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
4⤵
PID:7836

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
4⤵
PID:7040

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update /y
4⤵
PID:6184

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:6644

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop WRSVC /y
4⤵
PID:6492

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
4⤵
PID:6624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamMountSvc /y
4⤵
PID:6160

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
4⤵
PID:6852

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
4⤵
PID:8012

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
4⤵
PID:6804

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
4⤵
PID:6712

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
4⤵
PID:7900

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
4⤵
PID:8056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLBrowser /y
4⤵
PID:7904

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL57 /y
4⤵
PID:7744

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLSERVER /y
4⤵
PID:6628

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
4⤵
PID:6192

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
4⤵
PID:6264

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
4⤵
PID:6168

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
4⤵
PID:6464

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
4⤵
PID:6732

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
4⤵
PID:6988

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSRS /y
4⤵
PID:7080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeES /y
4⤵
PID:8184

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer110 /y
4⤵
PID:8100

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer100 /y
4⤵
PID:8052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:6252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:6784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:7888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:6708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:6596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:6548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:6488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:6976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:7996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:6920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
1⤵
PID:7884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:6520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:6820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:6752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:5644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SNAC /y
1⤵
PID:5188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:6384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:6240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:6376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
1⤵
PID:7592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:6672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:7332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:6980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:7400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:7928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:7352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:6916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:6716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:7692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:7396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:8072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:6596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\ZqqUZ.exe
MD5
c0202cf6aeab8437c638533d14563d35

SHA1
5767653494d05b3f3f38f1662a63335d09ae6489

SHA256
8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b

SHA512
02516128d43914d6ff1b7e702d25771aafd2edccee1729f88ad621cea15a648bb2737b87f564e0711e6f8f99c43eb406b3b6137c68086774f1417642d51c07c0

Download Submit
C:\users\Public\ZqqUZ.exe
MD5
c0202cf6aeab8437c638533d14563d35

SHA1
5767653494d05b3f3f38f1662a63335d09ae6489

SHA256
8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b

SHA512
02516128d43914d6ff1b7e702d25771aafd2edccee1729f88ad621cea15a648bb2737b87f564e0711e6f8f99c43eb406b3b6137c68086774f1417642d51c07c0

Download Submit
memory/428-135-0x0000000000000000-mapping.dmp

Download
memory/652-126-0x0000000000000000-mapping.dmp

Download
memory/748-125-0x0000000000000000-mapping.dmp

Download
memory/900-132-0x0000000000000000-mapping.dmp

Download
memory/1016-128-0x0000000000000000-mapping.dmp

Download
memory/1312-129-0x0000000000000000-mapping.dmp

Download
memory/1804-123-0x0000000008D00000-0x0000000008D62000-memory.dmp

Filesize
392KB

Download
memory/1804-117-0x0000000000400000-0x0000000006E8E000-memory.dmp

Filesize
106.6MB

Download
memory/1804-124-0x0000000000400000-0x0000000006E8E000-memory.dmp

Filesize
106.6MB

Download
memory/1804-119-0x0000000000400000-0x0000000006E8E000-memory.dmp

Filesize
106.6MB

Download
memory/1804-118-0x00000000004036B0-mapping.dmp

Download
memory/2108-131-0x0000000000000000-mapping.dmp

Download
memory/2436-187-0x00007FF655520000-0x00007FF655556000-memory.dmp

Filesize
216KB

Download
memory/2588-120-0x0000000000000000-mapping.dmp

Download
memory/2688-133-0x0000000000000000-mapping.dmp

Download
memory/2760-154-0x0000000000000000-mapping.dmp

Download
memory/3096-130-0x0000000000000000-mapping.dmp

Download
memory/3856-127-0x0000000000000000-mapping.dmp

Download
memory/3976-115-0x0000000000400000-0x0000000003754000-memory.dmp

Filesize
51.3MB

Download
memory/3976-116-0x0000000003EB0000-0x0000000003F1B000-memory.dmp

Filesize
428KB

Download
memory/3976-114-0x0000000003E00000-0x0000000003EA7000-memory.dmp

Filesize
668KB

Download
memory/3984-136-0x0000000000000000-mapping.dmp

Download
memory/4004-134-0x0000000000000000-mapping.dmp

Download
memory/4124-152-0x0000000000000000-mapping.dmp

Download
memory/4164-137-0x0000000000000000-mapping.dmp

Download
memory/4172-156-0x0000000000000000-mapping.dmp

Download
memory/4216-138-0x0000000000000000-mapping.dmp

Download
memory/4276-139-0x0000000000000000-mapping.dmp

Download
memory/4328-140-0x0000000000000000-mapping.dmp

Download
memory/4404-141-0x0000000000000000-mapping.dmp

Download
memory/4460-142-0x0000000000000000-mapping.dmp

Download
memory/4512-153-0x0000000000000000-mapping.dmp

Download
memory/4528-143-0x0000000000000000-mapping.dmp

Download
memory/4588-144-0x0000000000000000-mapping.dmp

Download
memory/4656-145-0x0000000000000000-mapping.dmp

Download
memory/4724-146-0x0000000000000000-mapping.dmp

Download
memory/4792-147-0x0000000000000000-mapping.dmp

Download
memory/4868-148-0x0000000000000000-mapping.dmp

Download
memory/4944-149-0x0000000000000000-mapping.dmp

Download
memory/4952-155-0x0000000000000000-mapping.dmp

Download
memory/5012-150-0x0000000000000000-mapping.dmp

Download
memory/5068-151-0x0000000000000000-mapping.dmp

Download
memory/5152-157-0x0000000000000000-mapping.dmp

Download
memory/5216-158-0x0000000000000000-mapping.dmp

Download
memory/5276-159-0x0000000000000000-mapping.dmp

Download
memory/5284-173-0x0000000000000000-mapping.dmp

Download
memory/5332-160-0x0000000000000000-mapping.dmp

Download
memory/5396-161-0x0000000000000000-mapping.dmp

Download
memory/5444-162-0x0000000000000000-mapping.dmp

Download
memory/5512-163-0x0000000000000000-mapping.dmp

Download
memory/5588-164-0x0000000000000000-mapping.dmp

Download
memory/5624-174-0x0000000000000000-mapping.dmp

Download
memory/5660-165-0x0000000000000000-mapping.dmp

Download
memory/5716-175-0x0000000000000000-mapping.dmp

Download
memory/5720-166-0x0000000000000000-mapping.dmp

Download
memory/5784-167-0x0000000000000000-mapping.dmp

Download
memory/5844-178-0x0000000000000000-mapping.dmp

Download
memory/5848-168-0x0000000000000000-mapping.dmp

Download
memory/5856-176-0x0000000000000000-mapping.dmp

Download
memory/5928-169-0x0000000000000000-mapping.dmp

Download
memory/5992-170-0x0000000000000000-mapping.dmp

Download
memory/6044-171-0x0000000000000000-mapping.dmp

Download
memory/6108-172-0x0000000000000000-mapping.dmp

Download
memory/6116-177-0x0000000000000000-mapping.dmp

Download
memory/6188-179-0x0000000000000000-mapping.dmp

Download
memory/6216-180-0x0000000000000000-mapping.dmp

Download
memory/6288-181-0x0000000000000000-mapping.dmp

Download
memory/6336-182-0x0000000000000000-mapping.dmp

Download
memory/6368-183-0x0000000000000000-mapping.dmp

Download
memory/6400-184-0x0000000000000000-mapping.dmp

Download
memory/6460-185-0x0000000000000000-mapping.dmp

Download
memory/6480-186-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads