b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8

Analysis

max time kernel
175s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe
Size

168KB
MD5

958c594909933d4c82e93c22850194aa
SHA1

d7c5fa9df1c79a7d0c178d0b7a2fe6d104d35278
SHA256

b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8
SHA512

b8bc89d574b3838cd219f276a348f0438fa2963bf7d7ee17ca4662ed3a00339455f587a0cd7459c0da5b468e5f0ff718285120ac972ae3c7c170e375110f906b

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 44 IoCs

evasion

pid	Process
1872	taskkill.exe
220	taskkill.exe
3216	taskkill.exe
1272	taskkill.exe
4408	taskkill.exe
4472	taskkill.exe
4496	taskkill.exe
1592	taskkill.exe
1728	taskkill.exe
3560	taskkill.exe
1900	taskkill.exe
4724	taskkill.exe
4764	taskkill.exe
2596	taskkill.exe
2852	taskkill.exe
4128	taskkill.exe
4176	taskkill.exe
4824	taskkill.exe
620	taskkill.exe
3716	taskkill.exe
3596	taskkill.exe
636	taskkill.exe
4248	taskkill.exe
4540	taskkill.exe
4592	taskkill.exe
4684	taskkill.exe
2656	taskkill.exe
4628	taskkill.exe
2724	taskkill.exe
3200	taskkill.exe
1300	taskkill.exe
1908	taskkill.exe
452	taskkill.exe
4080	taskkill.exe
4216	taskkill.exe
4324	taskkill.exe
4364	taskkill.exe
4892	taskkill.exe
2408	taskkill.exe
2796	taskkill.exe
4944	taskkill.exe
4992	taskkill.exe
5052	taskkill.exe
1920	taskkill.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	452	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	3216	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeDebugPrivilege	4080	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	4408	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	4176	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	3596	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 2596	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	58
PID 4012 wrote to memory of 2596	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	58
PID 4012 wrote to memory of 2408	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	60
PID 4012 wrote to memory of 2408	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	60
PID 4012 wrote to memory of 620	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	62
PID 4012 wrote to memory of 620	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	62
PID 4012 wrote to memory of 2724	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	64
PID 4012 wrote to memory of 2724	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	64
PID 4012 wrote to memory of 2852	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	66
PID 4012 wrote to memory of 2852	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	66
PID 4012 wrote to memory of 1920	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	68
PID 4012 wrote to memory of 1920	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	68
PID 4012 wrote to memory of 2656	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	70
PID 4012 wrote to memory of 2656	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	70
PID 4012 wrote to memory of 3716	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	72
PID 4012 wrote to memory of 3716	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	72
PID 4012 wrote to memory of 3596	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	74
PID 4012 wrote to memory of 3596	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	74
PID 4012 wrote to memory of 1908	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	76
PID 4012 wrote to memory of 1908	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	76
PID 4012 wrote to memory of 452	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	78
PID 4012 wrote to memory of 452	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	78
PID 4012 wrote to memory of 636	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	81
PID 4012 wrote to memory of 636	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	81
PID 4012 wrote to memory of 1728	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	82
PID 4012 wrote to memory of 1728	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	82
PID 4012 wrote to memory of 1592	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	87
PID 4012 wrote to memory of 1592	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	87
PID 4012 wrote to memory of 3560	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	85
PID 4012 wrote to memory of 3560	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	85
PID 4012 wrote to memory of 1872	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	88
PID 4012 wrote to memory of 1872	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	88
PID 4012 wrote to memory of 220	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	90
PID 4012 wrote to memory of 220	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	90
PID 4012 wrote to memory of 3216	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	92
PID 4012 wrote to memory of 3216	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	92
PID 4012 wrote to memory of 1900	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	94
PID 4012 wrote to memory of 1900	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	94
PID 4012 wrote to memory of 1300	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	96
PID 4012 wrote to memory of 1300	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	96
PID 4012 wrote to memory of 1272	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	98
PID 4012 wrote to memory of 1272	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	98
PID 4012 wrote to memory of 3200	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	100
PID 4012 wrote to memory of 3200	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	100
PID 4012 wrote to memory of 4080	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	103
PID 4012 wrote to memory of 4080	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	103
PID 4012 wrote to memory of 2796	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	104
PID 4012 wrote to memory of 2796	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	104
PID 4012 wrote to memory of 4128	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	106
PID 4012 wrote to memory of 4128	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	106
PID 4012 wrote to memory of 4176	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	109
PID 4012 wrote to memory of 4176	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	109
PID 4012 wrote to memory of 4216	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	110
PID 4012 wrote to memory of 4216	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	110
PID 4012 wrote to memory of 4248	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	112
PID 4012 wrote to memory of 4248	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	112
PID 4012 wrote to memory of 4324	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	114
PID 4012 wrote to memory of 4324	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	114
PID 4012 wrote to memory of 4364	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	118
PID 4012 wrote to memory of 4364	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	118
PID 4012 wrote to memory of 4408	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	117
PID 4012 wrote to memory of 4408	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	117
PID 4012 wrote to memory of 4472	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	120
PID 4012 wrote to memory of 4472	4012	b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe	120

C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe
"C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3216
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4080
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4176
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4248
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
  2⤵
  PID:4240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:6608
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
  2⤵
  PID:4372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:6408
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
  2⤵
  PID:4600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:6416
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
  2⤵
  PID:4904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:6400
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
  2⤵
  PID:1340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:6424
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
  2⤵
  PID:2748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:6440
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
  2⤵
  PID:5156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:6432
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
  2⤵
  PID:5196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:6448
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
  2⤵
  PID:5228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:6456
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
  2⤵
  PID:5272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:6464
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
  2⤵
  PID:5312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:6480
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
  2⤵
  PID:5360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:6472
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
  2⤵
  PID:5420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:6488
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
  2⤵
  PID:5492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:6496
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
  2⤵
  PID:5540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:6504
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
  2⤵
  PID:5588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    PID:6512
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
  2⤵
  PID:5636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:6520
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:5676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:6536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcronisAgent /y
  2⤵
  PID:5704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:6528
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:6544
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Antivirus /y
  2⤵
  PID:5820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:6552
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ARSM /y
  2⤵
  PID:5856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:6560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:6568
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6616
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:6000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:6368
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:6068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:6392
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
  2⤵
  PID:6116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:6384
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:6584
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:6376
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop bedbg /y
  2⤵
  PID:5776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:6576
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop DCAgent /y
  2⤵
  PID:6024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:7916
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPSecurityService /y
  2⤵
  PID:6152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:8028
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPUpdateService /y
  2⤵
  PID:6184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:7932
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
  2⤵
  PID:6220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:8036
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EsgShKernel /y
  2⤵
  PID:6252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:8020
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop FA_Scheduler /y
  2⤵
  PID:6304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:8012
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IISAdmin /y
  2⤵
  PID:6344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:8004
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IMAP4Svc /y
  2⤵
  PID:6648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IMAP4Svc /y
    3⤵
    PID:7996
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop macmnsvc /y
  2⤵
  PID:6700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:7924
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop masvc /y
  2⤵
  PID:6752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:8272
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBAMService /y
  2⤵
  PID:6788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:7988
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
  2⤵
  PID:6832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:7972
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
  2⤵
  PID:6864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:7980
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFramework /y
  2⤵
  PID:6908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:8280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:6988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:8288
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McShield /y
  2⤵
  PID:7032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:7964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McTaskManager /y
  2⤵
  PID:7064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:7956
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfemms /y
  2⤵
  PID:7100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:7948
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfevtp /y
  2⤵
  PID:6076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:7940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MMS /y
  2⤵
  PID:6656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:7892
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mozyprobackup /y
  2⤵
  PID:6900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:8296
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer /y
  2⤵
  PID:7072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:7908
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
  2⤵
  PID:7204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:8312
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
  2⤵
  PID:7264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer110 /y
    3⤵
    PID:8304
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeES /y
  2⤵
  PID:7312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:8320
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS /y
  2⤵
  PID:7360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS /y
    3⤵
    PID:8328
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:7392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMGMT /y
    3⤵
    PID:7900
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
  2⤵
  PID:7452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:8264
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA /y
  2⤵
  PID:7488
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
  2⤵
  PID:7536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:7560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:7604
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:7628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:8336
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:7664
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:7696
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:7716
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:7744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:8964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:7776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:8248
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:7812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:9016
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:7852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:8256
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:8056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:8972
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:8092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:9096
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:8132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:8940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
  2⤵
  PID:8180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:8924
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:7276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:8948
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:7424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:8908
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:7872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:8916
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
  2⤵
  PID:6916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher /y
    3⤵
    PID:8932
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:8232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:8900
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:8360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:8884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:8424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:8876
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:8508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:8892
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:8564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:8868
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:8604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:9104
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:8652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:9024
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
  2⤵
  PID:8700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:11224
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:8748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:11216
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:8776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:11240
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL80 /y
  2⤵
  PID:8808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:8472
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL57 /y
  2⤵
  PID:9404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:11248
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ntrtscan /y
  2⤵
  PID:10008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:11256
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
  2⤵
  PID:10048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:10268
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop PDVFSService /y
  2⤵
  PID:5928
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop POP3Svc /y
  2⤵
  PID:3436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer /y
  2⤵
  PID:5652
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:8120
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:8576
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
  2⤵
  PID:8688
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:7792
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop RESvc /y
  2⤵
  PID:7596
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sacsvr /y
  2⤵
  PID:6300
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SamSs /y
  2⤵
  PID:10260
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVAdminService /y
  2⤵
  PID:10280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SDRSVC /y
  2⤵
  PID:10320
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVService /y
  2⤵
  PID:10300
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SepMasterService /y
  2⤵
  PID:10340
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ShMonitor /y
  2⤵
  PID:10360
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Smcinst /y
  2⤵
  PID:10380
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SmcService /y
  2⤵
  PID:10400
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SMTPSvc /y
  2⤵
  PID:10420
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SNAC /y
  2⤵
  PID:10440
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SntpService /y
  2⤵
  PID:10460
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sophossps /y
  2⤵
  PID:10480
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:10500
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:10520
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:10540
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:10560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:10580
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:10600
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:10620
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:10640
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:10660
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:11232
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:10368
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:10428
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:10548
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser /y
  2⤵
  PID:10608
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:3228
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:228
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:10648
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:10852
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter /y
  2⤵
  PID:11024
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SstpSvc /y
  2⤵
  PID:11040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop svcGenericHost /y
  2⤵
  PID:10900
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_filter /y
  2⤵
  PID:10864
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_service /y
  2⤵
  PID:10668
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_update_64 /y
  2⤵
  PID:9628
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TmCCSF /y
  2⤵
  PID:2380
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop tmlisten /y
  2⤵
  PID:704
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKey /y
  2⤵
  PID:10940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:10912
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:3400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads