ryuk | 1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7

General

Target

1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe
Size

168KB
MD5

166686d538ec9a0e0550347149aac4cc
SHA1

e50b973d43a77d7a2c1bf56e22d64d168ee8c170
SHA256

1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7
SHA512

72dc38caa810a976a2497306a87e637ff9e47ca145ede2bdc0e3d687c1793df6b734538c22de37f45d74aaf7472e07fc11df399fef03bda203eb078188d37129

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz Ryuk No system is safe

Emails

[email protected]

Wallets

1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash.gif	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-dialogs.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jce.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6780 3768 WerFault.exe DllHost.exe

pid	pid_target	process	target process
6780	3768	WerFault.exe	DllHost.exe

Kills process with taskkill 44 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4824	taskkill.exe
4896	taskkill.exe
4244	taskkill.exe
1160	taskkill.exe
1776	taskkill.exe
2916	taskkill.exe
2224	taskkill.exe
4188	taskkill.exe
4352	taskkill.exe
4404	taskkill.exe
3584	taskkill.exe
4740	taskkill.exe
3740	taskkill.exe
2564	taskkill.exe
2000	taskkill.exe
496	taskkill.exe
2316	taskkill.exe
732	taskkill.exe
3532	taskkill.exe
4296	taskkill.exe
4480	taskkill.exe
4532	taskkill.exe
3776	taskkill.exe
512	taskkill.exe
1324	taskkill.exe
4128	taskkill.exe
4040	taskkill.exe
412	taskkill.exe
3976	taskkill.exe
1292	taskkill.exe
996	taskkill.exe
3812	taskkill.exe
4600	taskkill.exe
5032	taskkill.exe
2776	taskkill.exe
1332	taskkill.exe
2836	taskkill.exe
1032	taskkill.exe
2256	taskkill.exe
3588	taskkill.exe
2804	taskkill.exe
4672	taskkill.exe
5000	taskkill.exe
2160	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exeWerFault.exe

pid	process
2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe
2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe
6780	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe

pid process

2192 1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4040	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	512	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	496	taskkill.exe
Token: SeDebugPrivilege	4188	taskkill.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	4404	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeDebugPrivilege	4740	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe
Token: SeDebugPrivilege	6780	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe

description	pid	process	target process
PID 2192 wrote to memory of 2776	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2776	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3776	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3776	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 4040	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 4040	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3588	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3588	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1332	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1332	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 412	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 412	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2316	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2316	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 512	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 512	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3976	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3976	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3584	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3584	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2836	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2836	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1292	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1292	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 732	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 732	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1160	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1160	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 996	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 996	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1324	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1324	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1776	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1776	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1032	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 1032	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2160	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2160	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3740	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3740	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3812	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3812	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2916	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2916	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2804	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2804	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2256	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2256	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2224	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2224	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3532	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 3532	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2564	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2564	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2000	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 2000	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 496	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 496	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 4128	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 4128	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 4188	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 4188	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 4244	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe
PID 2192 wrote to memory of 4244	2192	1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe	taskkill.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Drops file in Program Files directory
PID:2448

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2760

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3256

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3768 -s 836
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6780

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3512

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe
"C:\Users\Admin\AppData\Local\Temp\1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2120

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3792

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1540

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
2⤵
PID:4156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
3⤵
PID:5696

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
2⤵
PID:4884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
3⤵
PID:5648

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Agent" /y
2⤵
PID:5148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
3⤵
PID:5640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6196

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
2⤵
PID:5208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
3⤵
PID:5820

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
2⤵
PID:5288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
3⤵
PID:5844

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
2⤵
PID:5352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
3⤵
PID:5960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
2⤵
PID:5404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
3⤵
PID:5588

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
2⤵
PID:5464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
3⤵
PID:5472

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
2⤵
PID:5536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
3⤵
PID:5756

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
2⤵
PID:5580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
3⤵
PID:5720

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
2⤵
PID:5616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
3⤵
PID:5624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
2⤵
PID:5676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
3⤵
PID:5780

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
2⤵
PID:5732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
3⤵
PID:5564

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
2⤵
PID:5772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
3⤵
PID:6456

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
2⤵
PID:5832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
3⤵
PID:6416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
3⤵
PID:7132

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
2⤵
PID:5880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
3⤵
PID:6508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
2⤵
PID:5936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
3⤵
PID:6440

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
2⤵
PID:6004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:6448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
4⤵
PID:5604

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcronisAgent /y
2⤵
PID:6068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:6628

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AcrSch2Svc /y
2⤵
PID:5996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:6728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Antivirus /y
2⤵
PID:6168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
3⤵
PID:6768

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ARSM /y
2⤵
PID:6220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
3⤵
PID:6900

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:6304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:6864

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:6360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:6948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
2⤵
PID:6484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:6520

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
2⤵
PID:6424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
3⤵
PID:7132

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecManagementService /y
2⤵
PID:6568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:6076

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecRPCService /y
2⤵
PID:6664

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop bedbg /y
2⤵
PID:6752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
3⤵
PID:6824

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
2⤵
PID:6700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:5708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop DCAgent /y
2⤵
PID:6812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
3⤵
PID:5332

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EsgShKernel /y
2⤵
PID:7036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
3⤵
PID:5788

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EraserSvc11710 /y
2⤵
PID:6972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPUpdateService /y
2⤵
PID:6924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
3⤵
PID:5648

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EPSecurityService /y
2⤵
PID:6872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
3⤵
PID:5964

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop FA_Scheduler /y
2⤵
PID:7104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
3⤵
PID:5584

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IISAdmin /y
2⤵
PID:6176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
3⤵
PID:5692

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop macmnsvc /y
2⤵
PID:6012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
3⤵
PID:6064

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeEngineService /y
2⤵
PID:6060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
3⤵
PID:5212

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFramework /y
2⤵
PID:5408

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McShield /y
2⤵
PID:6452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
3⤵
PID:5988

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfemms /y
2⤵
PID:6008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
3⤵
PID:6328

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McTaskManager /y
2⤵
PID:6000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfevtp /y
2⤵
PID:5068

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MMS /y
2⤵
PID:6292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
3⤵
PID:6528

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
2⤵
PID:6444

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
3⤵
PID:6576

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mozyprobackup /y
2⤵
PID:5560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
3⤵
PID:5528

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeES /y
2⤵
PID:4904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
3⤵
PID:6824

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeIS /y
2⤵
PID:5888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
3⤵
PID:5568

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
2⤵
PID:5776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
3⤵
PID:5720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6732

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSRS /y
2⤵
PID:6224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
3⤵
PID:6140

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
2⤵
PID:6088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:5648

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
2⤵
PID:6332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
3⤵
PID:5860

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
2⤵
PID:5744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
3⤵
PID:6908

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
2⤵
PID:6776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
3⤵
PID:5524

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
2⤵
PID:6484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
3⤵
PID:5960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
2⤵
PID:6892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
3⤵
PID:6852

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:6432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:5220

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
2⤵
PID:7108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
3⤵
PID:5656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
4⤵
PID:5568

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
2⤵
PID:7048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
3⤵
PID:6596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
2⤵
PID:6020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
3⤵
PID:6780

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
2⤵
PID:6492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
3⤵
PID:5236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:5388

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPS /y
2⤵
PID:5644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
3⤵
PID:6340

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:6124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:6644

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
2⤵
PID:6964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:5320

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
2⤵
PID:5772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
3⤵
PID:6512

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
2⤵
PID:7124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:5836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5868

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
2⤵
PID:6404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:5780

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
2⤵
PID:6304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:6196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5936

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLSERVER /y
2⤵
PID:5764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
3⤵
PID:6476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
4⤵
PID:5668

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
2⤵
PID:5628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
3⤵
PID:6148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
4⤵
PID:6976

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
2⤵
PID:5564

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL57 /y
2⤵
PID:6068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
3⤵
PID:7044

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop OracleClientCache80 /y
2⤵
PID:5536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
3⤵
PID:6604

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop PDVFSService /y
2⤵
PID:6236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:6832

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop POP3Svc /y
2⤵
PID:5156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
3⤵
PID:6812

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ntrtscan /y
2⤵
PID:6328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
3⤵
PID:6088

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MySQL80 /y
2⤵
PID:5580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
3⤵
PID:6552

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
2⤵
PID:5652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:5908

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
2⤵
PID:5892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
3⤵
PID:7148

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
2⤵
PID:5728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
2⤵
PID:6592

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:5328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
3⤵
PID:6876

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer /y
2⤵
PID:6956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
3⤵
PID:5872

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
2⤵
PID:5948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
3⤵
PID:6624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
2⤵
PID:6280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
3⤵
PID:5796

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPS /y
2⤵
PID:6308

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop RESvc /y
2⤵
PID:5824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
3⤵
PID:6740

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SamSs /y
2⤵
PID:6272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
3⤵
PID:6164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
4⤵
PID:6000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
5⤵
PID:5352

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SDRSVC /y
2⤵
PID:5744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
3⤵
PID:6196

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SepMasterService /y
2⤵
PID:6412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
3⤵
PID:5672

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ShMonitor /y
2⤵
PID:5964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
3⤵
PID:6692

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVService /y
2⤵
PID:6640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
3⤵
PID:5468

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop Smcinst /y
2⤵
PID:5900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
3⤵
PID:6056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SAVAdminService /y
2⤵
PID:5540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
3⤵
PID:6344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SmcService /y
2⤵
PID:6376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
3⤵
PID:4932

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SMTPSvc /y
2⤵
PID:5560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
3⤵
PID:6732

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SntpService /y
2⤵
PID:6708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
3⤵
PID:5820

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sophossps /y
2⤵
PID:6580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
3⤵
PID:5772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
2⤵
PID:6816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
3⤵
PID:5908

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
2⤵
PID:6176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:5868

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
2⤵
PID:5284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:5440

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
2⤵
PID:5224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
3⤵
PID:5232

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
2⤵
PID:5644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
3⤵
PID:5156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
4⤵
PID:7136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
2⤵
PID:6048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
3⤵
PID:6088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6220

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
2⤵
PID:7028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
3⤵
PID:6880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
2⤵
PID:5552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
3⤵
PID:6172

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
2⤵
PID:6720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:6860

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:6408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:5692

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
2⤵
PID:4832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
3⤵
PID:5800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
2⤵
PID:5596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
3⤵
PID:4196

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
2⤵
PID:6832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
3⤵
PID:5488

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLWriter /y
2⤵
PID:6136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
3⤵
PID:5880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SstpSvc /y
2⤵
PID:6544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
3⤵
PID:6116

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
2⤵
PID:5724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:5188

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLBrowser /y
2⤵
PID:7120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
3⤵
PID:6848

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
2⤵
PID:6476

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop svcGenericHost /y
2⤵
PID:5736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
3⤵
PID:6560

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_service /y
2⤵
PID:6608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
3⤵
PID:7132

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update_64 /y
2⤵
PID:5624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
4⤵
PID:6432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
3⤵
PID:6096

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_filter /y
2⤵
PID:5412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
3⤵
PID:6228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
4⤵
PID:6316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
2⤵
PID:6340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
3⤵
PID:5768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
3⤵
PID:6640

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKey /y
2⤵
PID:6360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
3⤵
PID:5416

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop tmlisten /y
2⤵
PID:6164

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TmCCSF /y
2⤵
PID:5148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
3⤵
PID:6896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
2⤵
PID:6448

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
2⤵
PID:7060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
3⤵
PID:5968

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
2⤵
PID:6444

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:7064

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SNAC /y
2⤵
PID:5852

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop UI0Detect /y
2⤵
PID:6224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
3⤵
PID:5732

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop sacsvr /y
2⤵
PID:5700

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
2⤵
PID:5632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
3⤵
PID:5696

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
2⤵
PID:5604

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
2⤵
PID:5548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
3⤵
PID:6672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6124

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
2⤵
PID:6552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
3⤵
PID:6508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamMountSvc /y
2⤵
PID:5908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
3⤵
PID:5328

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
2⤵
PID:6020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
3⤵
PID:5352

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
2⤵
PID:5440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
3⤵
PID:5612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
2⤵
PID:7124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:5508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop W3Svc /y
2⤵
PID:6792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
3⤵
PID:6728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:6180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:6464

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:7140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:5920

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop WRSVC /y
2⤵
PID:6304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
3⤵
PID:6128

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
2⤵
PID:7012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
3⤵
PID:5372

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop swi_update /y
2⤵
PID:5896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
4⤵
PID:6352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
3⤵
PID:6160

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
2⤵
PID:6476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:7080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "SQL Backups" /y
2⤵
PID:6408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
3⤵
PID:5236

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROD /y
2⤵
PID:6420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
3⤵
PID:6276

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
2⤵
PID:5808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
3⤵
PID:5736

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
2⤵
PID:6780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
3⤵
PID:5828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
2⤵
PID:6412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
3⤵
PID:5964

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ekrn /y
2⤵
PID:6228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5724

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop ESHASRV /y
2⤵
PID:6588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
3⤵
PID:5972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop EhttpSrv /y
2⤵
PID:5408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
3⤵
PID:5892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
3⤵
PID:6320

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop NetMsmqActivator /y
2⤵
PID:6132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
3⤵
PID:5696

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop msftesql$PROD /y
2⤵
PID:6168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
3⤵
PID:6548

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
2⤵
PID:6248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
3⤵
PID:5148

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:7160

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
2⤵
PID:6492

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
2⤵
PID:6372

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
2⤵
PID:5424

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
2⤵
PID:6220

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
2⤵
PID:5912

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
2⤵
PID:6324

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSA /y
2⤵
PID:6904

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMTA /y
2⤵
PID:6148

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
2⤵
PID:6300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
3⤵
PID:6744

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
2⤵
PID:6944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
3⤵
PID:4196

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop AVP /y
2⤵
PID:6960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
3⤵
PID:5488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6136

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer110 /y
2⤵
PID:5832

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer100 /y
2⤵
PID:6044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5528

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer /y
2⤵
PID:5156

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
2⤵
PID:5740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
3⤵
PID:6880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:5212

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop kavfsslp /y
2⤵
PID:5704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
3⤵
PID:5236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe" /f
2⤵
PID:5756

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7.exe" /f
3⤵
- Adds Run key to start application
PID:6620

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop mfefire /y
2⤵
PID:6972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
3⤵
PID:6852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
3⤵
PID:6084

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFS /y
2⤵
PID:6044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
3⤵
PID:7164

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop KAVFSGT /y
2⤵
PID:6672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
3⤵
PID:5660

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
2⤵
PID:6340

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop klnagent /y
2⤵
PID:5152

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBEndpointAgent /y
2⤵
PID:6188

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop MBAMService /y
2⤵
PID:6348

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop masvc /y
2⤵
PID:6916

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop IMAP4Svc /y
2⤵
PID:5976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:5628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
1⤵
PID:5392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:5464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:5404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:5388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:6504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
1⤵
PID:6668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:7016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:6568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:6764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SNAC /y
1⤵
PID:6128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
2⤵
PID:5576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
1⤵
PID:5332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:6216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:7028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:7120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
1⤵
PID:6472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:5780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:5608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:6008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:6900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1540-117-0x00007FF73AD00000-0x00007FF73AD35000-memory.dmp

Filesize
212KB

Download
memory/2448-115-0x00007FF73AD00000-0x00007FF73AD35000-memory.dmp

Filesize
212KB

Download
memory/4040-116-0x00007FF73AD00000-0x00007FF73AD35000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads