ryuk | 8141f47a1ee8453ac01daacb16cab2d18b37a9045edc5f20c9019d4327576704

General

Target

8141f47a1ee8453ac01daacb16cab2d18b37a9045edc5f20c9019d4327576704.exe
Size

378KB
MD5

1643b85e7f459c6ffe1e5ab9ebb53f93
SHA1

3e42d07d89ef8d66b9a60664a53cbe7ae423c11c
SHA256

8141f47a1ee8453ac01daacb16cab2d18b37a9045edc5f20c9019d4327576704
SHA512

95a9a58bb84007dd1d8e37e6bf8cb2736003cc456951bfdaeaa24bc8696f0cc53e98225176f7de76a053a032e0c9d9b25e3cef57a3c289b2b932ac610b23b3d5

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz Ryuk No system is safe

Emails

[email protected]

Wallets

1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

wNvNG.exe

pid process

808 wNvNG.exe
Deletes itself 1 IoCs

Processes:

wNvNG.exe

pid process

808 wNvNG.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\wNvNG.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	sihost.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\rt.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.h	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

8436 3708 WerFault.exe DllHost.exe

pid	pid_target	process	target process
8436	3708	WerFault.exe	DllHost.exe

Kills process with taskkill 44 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
436	taskkill.exe
684	taskkill.exe
4092	taskkill.exe
4800	taskkill.exe
5032	taskkill.exe
4360	taskkill.exe
3412	taskkill.exe
1748	taskkill.exe
2140	taskkill.exe
4544	taskkill.exe
4728	taskkill.exe
4936	taskkill.exe
1536	taskkill.exe
2940	taskkill.exe
2284	taskkill.exe
1128	taskkill.exe
4592	taskkill.exe
4664	taskkill.exe
4472	taskkill.exe
1228	taskkill.exe
2264	taskkill.exe
356	taskkill.exe
4296	taskkill.exe
4872	taskkill.exe
4600	taskkill.exe
2424	taskkill.exe
604	taskkill.exe
2320	taskkill.exe
1972	taskkill.exe
4004	taskkill.exe
3612	taskkill.exe
4200	taskkill.exe
1256	taskkill.exe
2692	taskkill.exe
708	taskkill.exe
4132	taskkill.exe
4260	taskkill.exe
4368	taskkill.exe
1236	taskkill.exe
3996	taskkill.exe
2276	taskkill.exe
2576	taskkill.exe
4424	taskkill.exe
5088	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

wNvNG.exeWerFault.exe

pid	process
808	wNvNG.exe
808	wNvNG.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe
8436	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wNvNG.exe

pid process

808 wNvNG.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exewNvNG.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	3996	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	3412	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	708	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	1128	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	4132	taskkill.exe
Token: SeDebugPrivilege	356	taskkill.exe
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	4368	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	4544	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	4664	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	808	wNvNG.exe
Token: SeDebugPrivilege	8436	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8141f47a1ee8453ac01daacb16cab2d18b37a9045edc5f20c9019d4327576704.exewNvNG.exe

description	pid	process	target process
PID 3704 wrote to memory of 808	3704	8141f47a1ee8453ac01daacb16cab2d18b37a9045edc5f20c9019d4327576704.exe	wNvNG.exe
PID 3704 wrote to memory of 808	3704	8141f47a1ee8453ac01daacb16cab2d18b37a9045edc5f20c9019d4327576704.exe	wNvNG.exe
PID 808 wrote to memory of 1256	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1256	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1236	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1236	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2424	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2424	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 604	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 604	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1536	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1536	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 3412	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 3412	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 436	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 436	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 3996	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 3996	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 684	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 684	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1228	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1228	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2320	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2320	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2940	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2940	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2276	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2276	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1972	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1972	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2692	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2692	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1748	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1748	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4092	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4092	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4004	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4004	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2576	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2576	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 708	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 708	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2140	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2140	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2284	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2284	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 3612	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 3612	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1128	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 1128	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2264	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 2264	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 356	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 356	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4132	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4132	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4200	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4200	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4260	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4260	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4296	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4296	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4368	808	wNvNG.exe	taskkill.exe
PID 808 wrote to memory of 4368	808	wNvNG.exe	taskkill.exe

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3268

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3284

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3708 -s 832
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3472

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2504

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Drops file in Program Files directory
PID:2488

C:\Users\Admin\AppData\Local\Temp\8141f47a1ee8453ac01daacb16cab2d18b37a9045edc5f20c9019d4327576704.exe
"C:\Users\Admin\AppData\Local\Temp\8141f47a1ee8453ac01daacb16cab2d18b37a9045edc5f20c9019d4327576704.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\users\Public\wNvNG.exe
"C:\users\Public\wNvNG.exe" C:\Users\Admin\AppData\Local\Temp\8141f47a1ee8453ac01daacb16cab2d18b37a9045edc5f20c9019d4327576704.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM excel.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:356

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM steam.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM winword.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
3⤵
PID:5144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
4⤵
PID:5720

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
3⤵
PID:5188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
4⤵
PID:5764

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Agent" /y
3⤵
PID:5256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
4⤵
PID:5392

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
3⤵
PID:5304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
4⤵
PID:6108

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
3⤵
PID:5380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
4⤵
PID:6084

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
3⤵
PID:5428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
4⤵
PID:6092

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
3⤵
PID:5476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
4⤵
PID:6076

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
3⤵
PID:5544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
4⤵
PID:5268

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
3⤵
PID:5600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
4⤵
PID:5196

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
3⤵
PID:5640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
4⤵
PID:6068

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
3⤵
PID:5696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
4⤵
PID:6164

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
3⤵
PID:5748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
4⤵
PID:6348

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
3⤵
PID:5792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
4⤵
PID:6184

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
3⤵
PID:5844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
4⤵
PID:6304

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
3⤵
PID:5880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
4⤵
PID:6360

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
3⤵
PID:5916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
4⤵
PID:6476

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
3⤵
PID:5972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
4⤵
PID:6516

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:6032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
4⤵
PID:6724

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcrSch2Svc /y
3⤵
PID:5592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
4⤵
PID:6712

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Antivirus /y
3⤵
PID:5888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
4⤵
PID:6780

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcronisAgent /y
3⤵
PID:6136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
4⤵
PID:6748

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ARSM /y
3⤵
PID:6192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
4⤵
PID:6808

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
3⤵
PID:6268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
4⤵
PID:7076

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
3⤵
PID:6320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
4⤵
PID:6800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
3⤵
PID:6384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
4⤵
PID:6276

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecManagementService /y
3⤵
PID:6536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
4⤵
PID:7088

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
3⤵
PID:6464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
4⤵
PID:7124

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecRPCService /y
3⤵
PID:6624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
4⤵
PID:7264

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
3⤵
PID:6816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
4⤵
PID:7376

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop DCAgent /y
3⤵
PID:6896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
4⤵
PID:7444

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop bedbg /y
3⤵
PID:6848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
4⤵
PID:7496

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPSecurityService /y
3⤵
PID:6944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
4⤵
PID:7336

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPUpdateService /y
3⤵
PID:7004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
4⤵
PID:7616

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EsgShKernel /y
3⤵
PID:7132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
4⤵
PID:7428

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EraserSvc11710 /y
3⤵
PID:7068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
4⤵
PID:7684

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop FA_Scheduler /y
3⤵
PID:6576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
4⤵
PID:7876

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IMAP4Svc /y
3⤵
PID:6764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
4⤵
PID:7864

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop macmnsvc /y
3⤵
PID:7240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
4⤵
PID:7804

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBAMService /y
3⤵
PID:7368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
4⤵
PID:8052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop masvc /y
3⤵
PID:7316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
4⤵
PID:8064

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeEngineService /y
3⤵
PID:7560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
4⤵
PID:8096

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:7668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
4⤵
PID:8284

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFramework /y
3⤵
PID:7596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
4⤵
PID:8324

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBEndpointAgent /y
3⤵
PID:7468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
4⤵
PID:7456

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McShield /y
3⤵
PID:7728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
4⤵
PID:8316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McTaskManager /y
3⤵
PID:7784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
4⤵
PID:8448

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfemms /y
3⤵
PID:7856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
4⤵
PID:8420

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IISAdmin /y
3⤵
PID:6936

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfevtp /y
3⤵
PID:7928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
4⤵
PID:8460

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MMS /y
3⤵
PID:7980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
4⤵
PID:8516

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mozyprobackup /y
3⤵
PID:8028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
4⤵
PID:8692

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer /y
3⤵
PID:8132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
4⤵
PID:8640

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer100 /y
3⤵
PID:6952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
4⤵
PID:8936

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer110 /y
3⤵
PID:7844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
4⤵
PID:8924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
5⤵
PID:11412

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeES /y
3⤵
PID:8204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
4⤵
PID:8904

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
3⤵
PID:8352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
4⤵
PID:9084

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMTA /y
3⤵
PID:8388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
4⤵
PID:9076

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSA /y
3⤵
PID:8484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
4⤵
PID:9116

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSRS /y
3⤵
PID:8560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
4⤵
PID:8608

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
3⤵
PID:8612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
4⤵
PID:9204

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:8704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
4⤵
PID:9132

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
3⤵
PID:8784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
4⤵
PID:9380

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
3⤵
PID:8828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
4⤵
PID:9512

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeIS /y
3⤵
PID:8292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
4⤵
PID:9024

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
3⤵
PID:8988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
4⤵
PID:9672

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
3⤵
PID:9048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
4⤵
PID:9648

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
3⤵
PID:9144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
4⤵
PID:9744

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
3⤵
PID:8912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
4⤵
PID:9220

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:7176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
4⤵
PID:9724

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
3⤵
PID:8932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
4⤵
PID:9964

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
3⤵
PID:9280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
4⤵
PID:10032

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
3⤵
PID:9348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
4⤵
PID:10056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPS /y
3⤵
PID:9404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
4⤵
PID:9980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
3⤵
PID:9472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
4⤵
PID:10124

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:9540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:9960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
3⤵
PID:8492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
4⤵
PID:9756

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:9664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
4⤵
PID:9988

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:9780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
4⤵
PID:10460

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
3⤵
PID:9732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
4⤵
PID:10480

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:9836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
4⤵
PID:10496

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:9908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
4⤵
PID:10488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
4⤵
PID:7392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6076

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:10040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
4⤵
PID:10772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:10168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
4⤵
PID:10812

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
3⤵
PID:9788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
4⤵
PID:10824

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLSERVER /y
3⤵
PID:8472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
4⤵
PID:10800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
3⤵
PID:10100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
4⤵
PID:10720

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:9972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
4⤵
PID:10472

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
3⤵
PID:10512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
4⤵
PID:11156

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL80 /y
3⤵
PID:10536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
4⤵
PID:11196

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL57 /y
3⤵
PID:10584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
4⤵
PID:9252

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ntrtscan /y
3⤵
PID:10648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
4⤵
PID:11124

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop OracleClientCache80 /y
3⤵
PID:10732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
4⤵
PID:11348

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop PDVFSService /y
3⤵
PID:10780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
4⤵
PID:11332

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop POP3Svc /y
3⤵
PID:10868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
4⤵
PID:11316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer /y
3⤵
PID:10916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
4⤵
PID:11340

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
3⤵
PID:10976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
4⤵
PID:11324

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
3⤵
PID:11040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
4⤵
PID:11516

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPS /y
3⤵
PID:11104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
4⤵
PID:11508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop RESvc /y
3⤵
PID:11240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
4⤵
PID:11524

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sacsvr /y
3⤵
PID:10592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
4⤵
PID:11704

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
3⤵
PID:11164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
4⤵
PID:11548

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SamSs /y
3⤵
PID:11372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
4⤵
PID:11980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVAdminService /y
3⤵
PID:11536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
4⤵
PID:11712

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVService /y
3⤵
PID:11592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
4⤵
PID:12300

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SDRSVC /y
3⤵
PID:11660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
4⤵
PID:12252

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ShMonitor /y
3⤵
PID:11740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
4⤵
PID:11748

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Smcinst /y
3⤵
PID:11792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
4⤵
PID:12244

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SepMasterService /y
3⤵
PID:11692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
4⤵
PID:12168

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SmcService /y
3⤵
PID:11848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
4⤵
PID:12404

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SMTPSvc /y
3⤵
PID:11888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
4⤵
PID:12396

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SNAC /y
3⤵
PID:11920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SNAC /y
4⤵
PID:12372

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SntpService /y
3⤵
PID:11968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
4⤵
PID:12536

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sophossps /y
3⤵
PID:12016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
4⤵
PID:12564

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
3⤵
PID:12052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
4⤵
PID:12572

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
3⤵
PID:12080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
4⤵
PID:12668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:12184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
4⤵
PID:12708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:12272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
4⤵
PID:12920

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
3⤵
PID:11940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
4⤵
PID:12988

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
3⤵
PID:12284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
4⤵
PID:13092

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:12432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
4⤵
PID:8112

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
3⤵
PID:12352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
4⤵
PID:13076

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:12604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:13288

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:12656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
4⤵
PID:6660

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
3⤵
PID:12784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
4⤵
PID:10000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:12980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
4⤵
PID:10924

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLWriter /y
3⤵
PID:13036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
4⤵
PID:11096

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop svcGenericHost /y
3⤵
PID:13208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
4⤵
PID:9136

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_service /y
3⤵
PID:12296

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
4⤵
PID:9612

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_filter /y
3⤵
PID:13276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
4⤵
PID:10260

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SstpSvc /y
3⤵
PID:13128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
4⤵
PID:6096

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TmCCSF /y
3⤵
PID:9224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
4⤵
PID:7932

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update_64 /y
3⤵
PID:7196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
4⤵
PID:7572

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop tmlisten /y
3⤵
PID:11268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
4⤵
PID:6220

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
3⤵
PID:10492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
4⤵
PID:11432

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
3⤵
PID:8524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
4⤵
PID:6920

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
3⤵
PID:11064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
4⤵
PID:5764

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
3⤵
PID:10496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
4⤵
PID:6904

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
3⤵
PID:8644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
4⤵
PID:6108

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
3⤵
PID:11244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
4⤵
PID:8608

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
3⤵
PID:6112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
4⤵
PID:8208

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
3⤵
PID:11076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
4⤵
PID:6908

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamMountSvc /y
3⤵
PID:9408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
4⤵
PID:7508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
3⤵
PID:10776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:10488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
4⤵
PID:6172

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
3⤵
PID:8692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:11324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
4⤵
PID:5288

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
3⤵
PID:9912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
4⤵
PID:7092

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
3⤵
PID:10484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
4⤵
PID:5920

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
3⤵
PID:10672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
4⤵
PID:9548

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop W3Svc /y
3⤵
PID:9116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
4⤵
PID:11036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop WRSVC /y
3⤵
PID:9132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
4⤵
PID:10532

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:8640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:7460

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop UI0Detect /y
3⤵
PID:6996

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update /y
3⤵
PID:11340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
4⤵
PID:8592

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
3⤵
PID:8104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
4⤵
PID:7664

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
3⤵
PID:5532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
4⤵
PID:9404

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
3⤵
PID:8740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
4⤵
PID:7208

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop NetMsmqActivator /y
3⤵
PID:10288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
4⤵
PID:7788

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EhttpSrv /y
3⤵
PID:5804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
4⤵
PID:7600

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ekrn /y
3⤵
PID:8784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
4⤵
PID:7984

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ESHASRV /y
3⤵
PID:10228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
4⤵
PID:8232

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
3⤵
PID:5924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
4⤵
PID:9588

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AVP /y
3⤵
PID:6180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
4⤵
PID:7992

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
3⤵
PID:8036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
4⤵
PID:9032

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
3⤵
PID:10152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
4⤵
PID:9068

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFS /y
3⤵
PID:11368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
4⤵
PID:5676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\wNvNG.exe" /f
3⤵
PID:6860

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\wNvNG.exe" /f
4⤵
- Adds Run key to start application
PID:9636

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfefire /y
3⤵
PID:6892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
4⤵
PID:6268

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFSGT /y
3⤵
PID:11108

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop kavfsslp /y
3⤵
PID:8392

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
3⤵
PID:9908

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop klnagent /y
3⤵
PID:7212

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
3⤵
PID:8808

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop msftesql$PROD /y
3⤵
PID:11032

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
3⤵
PID:8424

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROD /y
3⤵
PID:8752

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQL Backups" /y
3⤵
PID:11932

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:6204

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
3⤵
PID:12592

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:8924

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKey /y
3⤵
PID:8068

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
3⤵
PID:12892

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
3⤵
PID:12828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLBrowser /y
3⤵
PID:12728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
3⤵
PID:12544

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
3⤵
PID:12480

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:11676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:7820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:12944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:9088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:12440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:8404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:9932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:6724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:8060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
1⤵
PID:10628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:7284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:12664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
1⤵
PID:6576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:9700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:11240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:7608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:11508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
1⤵
PID:9060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:9112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:6592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:8760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\wNvNG.exe

MD5
166686d538ec9a0e0550347149aac4cc

SHA1
e50b973d43a77d7a2c1bf56e22d64d168ee8c170

SHA256
1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7

SHA512
72dc38caa810a976a2497306a87e637ff9e47ca145ede2bdc0e3d687c1793df6b734538c22de37f45d74aaf7472e07fc11df399fef03bda203eb078188d37129

Download Submit
C:\users\Public\wNvNG.exe

MD5
166686d538ec9a0e0550347149aac4cc

SHA1
e50b973d43a77d7a2c1bf56e22d64d168ee8c170

SHA256
1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7

SHA512
72dc38caa810a976a2497306a87e637ff9e47ca145ede2bdc0e3d687c1793df6b734538c22de37f45d74aaf7472e07fc11df399fef03bda203eb078188d37129

Download Submit
memory/1256-118-0x00007FF766A60000-0x00007FF766A95000-memory.dmp

Filesize
212KB

Download
memory/2488-117-0x00007FF766A60000-0x00007FF766A95000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads