ryuk | 8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736

Analysis

max time kernel
170s
max time network
145s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
Size

136KB
MD5

61f3e072c19f758359d18d5e8f757630
SHA1

40665226308f95a4e297ccd1bc63e2b6e1337d6b
SHA256

8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736
SHA512

2302205f21afe80a4fd2027acb5faebf18ca6b5cc0f59581e6664877ca886ef4b0d3112aeefa6f76c7876c4db9536dd57a221ba80376b4b201e7729a5d639d6c

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz Ryuk No system is safe

Emails

[email protected]

Wallets

1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe"	reg.exe

Drops file in Program Files directory 63 IoCs

Processes:

8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\RyukReadMe.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 44 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1604	taskkill.exe
1940	taskkill.exe
2044	taskkill.exe
2140	taskkill.exe
2336	taskkill.exe
1828	taskkill.exe
1056	taskkill.exe
1592	taskkill.exe
1248	taskkill.exe
1264	taskkill.exe
948	taskkill.exe
892	taskkill.exe
1712	taskkill.exe
2280	taskkill.exe
2392	taskkill.exe
1400	taskkill.exe
1608	taskkill.exe
1768	taskkill.exe
1020	taskkill.exe
2056	taskkill.exe
2308	taskkill.exe
2368	taskkill.exe
1944	taskkill.exe
2416	taskkill.exe
1124	taskkill.exe
2204	taskkill.exe
2224	taskkill.exe
1468	taskkill.exe
1928	taskkill.exe
1128	taskkill.exe
1480	taskkill.exe
832	taskkill.exe
1908	taskkill.exe
1816	taskkill.exe
2112	taskkill.exe
1036	taskkill.exe
1048	taskkill.exe
1612	taskkill.exe
1956	taskkill.exe
1920	taskkill.exe
816	taskkill.exe
2092	taskkill.exe
2168	taskkill.exe
2252	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe

pid	process
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe

pid process

1668 8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	1128	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe

description	pid	process	target process
PID 1668 wrote to memory of 1264	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1264	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1264	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1264	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1468	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1468	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1468	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1468	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1400	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1400	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1400	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1400	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1828	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1828	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1828	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1828	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1056	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1056	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1056	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1056	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1604	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1604	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1604	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1604	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1928	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1928	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1928	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1928	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1128	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1128	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1128	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1128	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1036	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1036	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1036	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1036	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 948	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 948	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 948	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 948	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1480	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1480	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1480	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1480	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1608	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1608	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1608	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1608	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1048	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1048	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1048	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1048	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 832	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 832	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 832	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 832	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1768	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1768	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1768	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1768	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1908	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1908	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1908	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe
PID 1668 wrote to memory of 1908	1668	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	taskkill.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
"C:\Users\Admin\AppData\Local\Temp\8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
2⤵
PID:2456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
3⤵
PID:6524

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
2⤵
PID:2480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
3⤵
PID:6332

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Agent" /y
2⤵
PID:2500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
3⤵
PID:7084

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
2⤵
PID:2528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
3⤵
PID:7344

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
2⤵
PID:2540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
3⤵
PID:6572

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
2⤵
PID:2576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
3⤵
PID:7592

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
2⤵
PID:2600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
3⤵
PID:7156

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
2⤵
PID:2624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
3⤵
PID:6612

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
2⤵
PID:2648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
3⤵
PID:7304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
2⤵
PID:2708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
3⤵
PID:6556

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
2⤵
PID:2732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
3⤵
PID:6860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
2⤵
PID:2756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
3⤵
PID:6380

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
2⤵
PID:2776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
3⤵
PID:6996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
2⤵
PID:2812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
3⤵
PID:7328

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
2⤵
PID:2840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
3⤵
PID:6884

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
2⤵
PID:2872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
3⤵
PID:7108

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
2⤵
PID:2896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
3⤵
PID:6476

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
2⤵
PID:2924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:6660

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop AcronisAgent /y
2⤵
PID:2952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:7312

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop AcrSch2Svc /y
2⤵
PID:2976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:7544

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop Antivirus /y
2⤵
PID:3008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
3⤵
PID:6580

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ARSM /y
2⤵
PID:3032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
3⤵
PID:7696

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:3060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:7192

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:2128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:7280

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
2⤵
PID:2212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
3⤵
PID:7272

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
2⤵
PID:2332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:7296

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop BackupExecManagementService /y
2⤵
PID:2400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:7552

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop BackupExecRPCService /y
2⤵
PID:2496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:7320

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
2⤵
PID:2556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:6948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop bedbg /y
2⤵
PID:2640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
3⤵
PID:7632

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop DCAgent /y
2⤵
PID:2748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
3⤵
PID:6564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop EPSecurityService /y
2⤵
PID:2852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
3⤵
PID:7004

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop EPUpdateService /y
2⤵
PID:2968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
3⤵
PID:7536

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop EraserSvc11710 /y
2⤵
PID:3068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
3⤵
PID:6956

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop EsgShKernel /y
2⤵
PID:2344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
3⤵
PID:6980

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop FA_Scheduler /y
2⤵
PID:2820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
3⤵
PID:7472

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop IISAdmin /y
2⤵
PID:2156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
3⤵
PID:7256

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop IMAP4Svc /y
2⤵
PID:3080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
3⤵
PID:6300

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop macmnsvc /y
2⤵
PID:3100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
3⤵
PID:6700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop masvc /y
2⤵
PID:3132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
3⤵
PID:6972

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MBAMService /y
2⤵
PID:3156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
3⤵
PID:6964

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MBEndpointAgent /y
2⤵
PID:3196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
3⤵
PID:7248

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop McAfeeEngineService /y
2⤵
PID:3208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
3⤵
PID:6644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFramework /y
2⤵
PID:3244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
3⤵
PID:7288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
2⤵
PID:3268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:6988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop McShield /y
2⤵
PID:3304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
3⤵
PID:7440

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop McTaskManager /y
2⤵
PID:3328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
3⤵
PID:6924

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop mfemms /y
2⤵
PID:3364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
3⤵
PID:7264

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop mfevtp /y
2⤵
PID:3388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
3⤵
PID:7028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MMS /y
2⤵
PID:3412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
3⤵
PID:6788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop mozyprobackup /y
2⤵
PID:3436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
3⤵
PID:6908

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer /y
2⤵
PID:3472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
3⤵
PID:6756

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer100 /y
2⤵
PID:3500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
3⤵
PID:7624

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MsDtsServer110 /y
2⤵
PID:3528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
3⤵
PID:7224

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeES /y
2⤵
PID:3548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
3⤵
PID:6636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeIS /y
2⤵
PID:3580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
3⤵
PID:6532

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
2⤵
PID:3604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
3⤵
PID:7512

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeMTA /y
2⤵
PID:3640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
3⤵
PID:7020

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSA /y
2⤵
PID:3664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
3⤵
PID:7240

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSRS /y
2⤵
PID:3696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
3⤵
PID:7232

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
2⤵
PID:3724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
3⤵
PID:7480

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
2⤵
PID:3752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:7616

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
2⤵
PID:3780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
3⤵
PID:6244

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
2⤵
PID:3808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
3⤵
PID:7012

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
2⤵
PID:3828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
3⤵
PID:6116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
2⤵
PID:3864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
3⤵
PID:6940

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
2⤵
PID:3888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
3⤵
PID:7584

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
2⤵
PID:3912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
3⤵
PID:7384

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
2⤵
PID:3932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:6684

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
2⤵
PID:3972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
3⤵
PID:6812

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
2⤵
PID:4000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
3⤵
PID:7360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
2⤵
PID:4032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
3⤵
PID:6892

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
2⤵
PID:4060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
3⤵
PID:6804

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPS /y
2⤵
PID:4088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
3⤵
PID:7576

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
2⤵
PID:2632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
3⤵
PID:6452

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:3216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:7036

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
2⤵
PID:3276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:6548

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
2⤵
PID:3432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
3⤵
PID:7672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
2⤵
PID:3492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:6516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
2⤵
PID:3628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:7560

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
2⤵
PID:3672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:6436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
2⤵
PID:3852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:7520

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
2⤵
PID:3884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:6732

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
2⤵
PID:3996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
3⤵
PID:7744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
2⤵
PID:4068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:7164

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLSERVER /y
2⤵
PID:3352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
3⤵
PID:6724

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
2⤵
PID:3508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
3⤵
PID:6468

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
2⤵
PID:3484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
3⤵
PID:7216

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MySQL80 /y
2⤵
PID:3732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
3⤵
PID:6500

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MySQL57 /y
2⤵
PID:4132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
3⤵
PID:7600

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ntrtscan /y
2⤵
PID:4152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
3⤵
PID:6420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop OracleClientCache80 /y
2⤵
PID:4192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
3⤵
PID:7496

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop PDVFSService /y
2⤵
PID:4212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:7140

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop POP3Svc /y
2⤵
PID:4244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
3⤵
PID:6588

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ReportServer /y
2⤵
PID:4264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
3⤵
PID:7208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
2⤵
PID:4300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
3⤵
PID:7052

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
2⤵
PID:4328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
3⤵
PID:6820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPS /y
2⤵
PID:4356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
3⤵
PID:7336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
2⤵
PID:4376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
3⤵
PID:6508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop RESvc /y
2⤵
PID:4420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
3⤵
PID:6460

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop sacsvr /y
2⤵
PID:4440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
3⤵
PID:6796

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SamSs /y
2⤵
PID:4476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
3⤵
PID:7068

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SAVAdminService /y
2⤵
PID:4496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
3⤵
PID:7044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SAVService /y
2⤵
PID:4532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
3⤵
PID:6900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SDRSVC /y
2⤵
PID:4552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
3⤵
PID:6868

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SepMasterService /y
2⤵
PID:4580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
3⤵
PID:6340

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ShMonitor /y
2⤵
PID:4608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
3⤵
PID:7608

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop Smcinst /y
2⤵
PID:4636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
3⤵
PID:7464

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SmcService /y
2⤵
PID:4648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
3⤵
PID:6356

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SMTPSvc /y
2⤵
PID:4692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
3⤵
PID:7132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SNAC /y
2⤵
PID:4720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SNAC /y
3⤵
PID:7076

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SntpService /y
2⤵
PID:4748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
3⤵
PID:7504

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop sophossps /y
2⤵
PID:4776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
3⤵
PID:7416

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
2⤵
PID:4796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
3⤵
PID:7568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
2⤵
PID:4816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
3⤵
PID:6348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
2⤵
PID:4852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:7664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
2⤵
PID:4888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:7432

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
2⤵
PID:4912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:6372

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
2⤵
PID:4936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
3⤵
PID:6748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
2⤵
PID:4968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
3⤵
PID:7528

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
2⤵
PID:4992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
3⤵
PID:6324

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
2⤵
PID:5024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:7148

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
2⤵
PID:5048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
3⤵
PID:6484

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
2⤵
PID:5084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
3⤵
PID:6852

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:5096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:6292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
2⤵
PID:4144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:7184

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLBrowser /y
2⤵
PID:4160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
3⤵
PID:6404

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
2⤵
PID:4344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
3⤵
PID:6828

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
2⤵
PID:4436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
3⤵
PID:7200

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
2⤵
PID:4572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
3⤵
PID:6708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
2⤵
PID:4628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:6308

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLWriter /y
2⤵
PID:4760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
3⤵
PID:6764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SstpSvc /y
2⤵
PID:4832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
3⤵
PID:7456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop svcGenericHost /y
2⤵
PID:4960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
3⤵
PID:7376

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop swi_filter /y
2⤵
PID:5000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
3⤵
PID:7060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop swi_service /y
2⤵
PID:5104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
3⤵
PID:6444

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop swi_update_64 /y
2⤵
PID:4492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
3⤵
PID:6916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop TmCCSF /y
2⤵
PID:4840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
3⤵
PID:6692

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop tmlisten /y
2⤵
PID:5092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
3⤵
PID:6668

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop TrueKey /y
2⤵
PID:5136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
3⤵
PID:7648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
2⤵
PID:5156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
3⤵
PID:7092

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
2⤵
PID:5188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
3⤵
PID:7368

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop UI0Detect /y
2⤵
PID:5212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
3⤵
PID:7488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
2⤵
PID:5240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
3⤵
PID:7640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
2⤵
PID:5264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
3⤵
PID:6412

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
2⤵
PID:5296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
3⤵
PID:6540

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
2⤵
PID:5324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
3⤵
PID:7704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
2⤵
PID:5352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:6316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
2⤵
PID:5380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
3⤵
PID:6780

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
2⤵
PID:5404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
3⤵
PID:6772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamMountSvc /y
2⤵
PID:5420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
3⤵
PID:6716

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
2⤵
PID:5452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:6844

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
2⤵
PID:5480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
3⤵
PID:6876

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
2⤵
PID:5520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:7100

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop W3Svc /y
2⤵
PID:5532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
3⤵
PID:6932

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:5564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:6492

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop WRSVC /y
2⤵
PID:5588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
3⤵
PID:6740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
2⤵
PID:5624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:7400

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
2⤵
PID:5644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:6652

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
2⤵
PID:5688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
3⤵
PID:7116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop swi_update /y
2⤵
PID:5708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
3⤵
PID:6628

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
2⤵
PID:5740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
3⤵
PID:6596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
2⤵
PID:5764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:6396

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQL Backups" /y
2⤵
PID:5808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
3⤵
PID:7424

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$PROD /y
2⤵
PID:5828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
3⤵
PID:6428

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
2⤵
PID:5852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
3⤵
PID:6604

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
2⤵
PID:5876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
3⤵
PID:6620

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
2⤵
PID:5908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
3⤵
PID:7688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop msftesql$PROD /y
2⤵
PID:5932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
3⤵
PID:7656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop NetMsmqActivator /y
2⤵
PID:5972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
3⤵
PID:7408

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop EhttpSrv /y
2⤵
PID:5992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
3⤵
PID:7392

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ekrn /y
2⤵
PID:6028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
3⤵
PID:7124

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ESHASRV /y
2⤵
PID:6056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
3⤵
PID:7712

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
2⤵
PID:6084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
3⤵
PID:7720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
2⤵
PID:6108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
3⤵
PID:6836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop AVP /y
2⤵
PID:5008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
3⤵
PID:7176

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop klnagent /y
2⤵
PID:5152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
3⤵
PID:6388

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
2⤵
PID:5284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
3⤵
PID:7352

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
2⤵
PID:5336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
3⤵
PID:7448

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop wbengine /y
2⤵
PID:5508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
3⤵
PID:6676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop kavfsslp /y
2⤵
PID:5548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
3⤵
PID:7680

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop KAVFSGT /y
2⤵
PID:5656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
3⤵
PID:6364

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop KAVFS /y
2⤵
PID:5760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
3⤵
PID:7736

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop mfefire /y
2⤵
PID:5872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
3⤵
PID:7728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe" /f /reg:64
2⤵
PID:5980

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:6284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6871031631284458611160407992-130610544913415443131669032739-18365657871128565898"
1⤵
PID:556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1049159680-1988096177-1932371424135295461249588447-2082066828-1832635587-1703064998"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-987836902-585712797-148629859-12687448481437080495-1394165761112651581574721"
1⤵
PID:1160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1685782258-419003713-1258293508-1578879168-1624268459-1971073794-16447385101328562108"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "422680268-428011101-5005116262066805154-1106754408-728202677-1148281629-2108837868"
1⤵
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-559301058-2244319299125842201412837683-1774459832135368834417034468191069314011"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "484192219-91240525647600886-1356218342-2117896792267815370-1871323453-1764573286"
1⤵
PID:956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8211354791030248520-1454059279-470707216-7548934222094144722108608799-1382722433"
1⤵
PID:1520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14154069285833329391812436808796674103153330655214051305-9318046571536049973"
1⤵
PID:1492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1327327512763822916912301864-2060550307816173271-1975492443-2014778502-732167282"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "690580242-482884595005525726431406921419158292373593427-1676547046-1159328588"
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "94385239643470291163306611355844125-184988493818261915-1228995824783096095"
1⤵
PID:1916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2022653465-422329019-303408997792888315-624280923-573635726-1102718916-1099397391"
1⤵
PID:880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2058075478-5403074271964412422-1787832266-2130221833477755816-1200660089178354764"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "700095837-2005264770-605711762-430418501-10985098761801243115-1326737022-1422588555"
1⤵
PID:588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-598166110-1897370358670610841-2106615443492804118-16309429221651237065771272616"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-74461757-13419117891226756969-14974999601707494549-117306097-1856636399-250806545"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2050676578-803438539-801698960-101301085113261311628353982812003419752-643180642"
1⤵
PID:1692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "277715466409881070-399137883-4001661011395314651-83649982-1450960274142637352"
1⤵
PID:1108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11597366-101045974-862604953-1182559475-1985171124-336354270-151238711051838135"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12711602592052567799-329075286-1592259515-2103978564-64073018-1606407390531382951"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19333368949085397651982616301-2077754467-1775811448-498099246-401936802-435438181"
1⤵
PID:1476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "550005223420561289-574768226-164382938-87817272116404515619040750231465751580"
1⤵
PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1392557857-14863547381735065222262677823-1528172916-1880911858-1239033027-7233536"
1⤵
PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt

MD5
c03e00c87643eb8a7003f8d4f316f07a

SHA1
aaa7c803c46cd29e2f3bf7e4fd175ab37c6a505f

SHA256
b26adbe1ce66ce56ca20e28d3e8c1bf6d810f8a7f3a1680760b7e16827a2f6e9

SHA512
fe378fea020670dee255cbafa3b7e97cab9ba0c7eef08083e7af5022515d073e932827a07caff9e2dee78fe765ea51f0ed2b8a601bf7febe353b472da674e14c

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt

MD5
c03e00c87643eb8a7003f8d4f316f07a

SHA1
aaa7c803c46cd29e2f3bf7e4fd175ab37c6a505f

SHA256
b26adbe1ce66ce56ca20e28d3e8c1bf6d810f8a7f3a1680760b7e16827a2f6e9

SHA512
fe378fea020670dee255cbafa3b7e97cab9ba0c7eef08083e7af5022515d073e932827a07caff9e2dee78fe765ea51f0ed2b8a601bf7febe353b472da674e14c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
cc36bfff79ad97b27d13fc0e2fdc8a0c

SHA1
d5e4c409bb364636e44d9b8c99489c2065614cd0

SHA256
ad5c744b13a09e14ea0c9c740de62dba666a778d7db224ada12e08f8a3a17600

SHA512
be1187f9986b91748d23dbf25eb48672a707bed59f75520dc1ef1826d66bde67eb44bf923e52f84a6f135e177c08bc8ea0bf6d18bcb765f88c4ca7033c28183a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
ff8e4583169335d240c7e5b8b5f48966

SHA1
288f2a8e3cfc2ffa0dee81f8c8e137c68abd3e7c

SHA256
12acbdd229c3d6d22f9cb9cb5bab38ed3003e992c4e3fec287e5878b0458980e

SHA512
eb395395b36b6c4eefddd7337e3ff1a21a550429ba915f302ab1f41ab50b92dd55eb8a64aac94c5e873e76a72e34438f0a126948d6b588503782a2e472445746

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5
134d6fb2cb3ae35665b217fa38d65f77

SHA1
affee33efe5e29aec85613e9f829c4f37258a6a2

SHA256
711c5731e3223a515530cc8536f40ce8283f8429365c7ac343fd2ca04dbd85e0

SHA512
38e141fb45cc4a5b12834f085ca95bc53fb1ea93ccf05e12a8e42e31dcb637961120b44619894eca76af2a11b32302d83c3cc3cd423c4268293dd3f485ecaeba

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
ac13981a51376992d4e453c9a333dc76

SHA1
62c2ed1ffa1d5151ace88defe928b7c6f68453df

SHA256
f8c06a6d41c47f7b46a2314a58f945ebcc190f6afdc25fff3d46c9dba2aea76e

SHA512
9f9e29eded473dfcc195e25bac0fe648c92ad6ae02c97fecfb563a80b65e227709419fa431d36738cadfa2e94b34507b2ae41b1ab04d96ed6e04c8278135f1e6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

MD5
db48fde4b20bf45ee2c3264ece7efea7

SHA1
3dc40270d910aa2a4c0bf7adbb78381d6f10b9fa

SHA256
89ec49b3e8121ebe2b50778769ed36eed77ce1a46244ea75d30f653cb123843b

SHA512
08f655f70e5c5ac6c9b378929b6d184affd8fe14e69f2983ad32c1c90cb7809665a5b108d952b6621d9f99c5b98fe11357242f926489f1c7ccc6287be74e6355

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
ffd920230d591792235375dfe10adc40

SHA1
96ba96e75789a13e65aaa1e61635c3cc19f24303

SHA256
b8675cc5a0c6e95c3c96f7f7effc4799af953a86b43d9cdbdb9e3aada084d886

SHA512
7aca2df340060dc53bbf578a03d1770617d42b223737c34d75c038a79dc6d7fc2813706bd1e78c5a349daae35277689f0831ef95fe5337ef946775e6abb04719

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
094ea4035c53216bd584fb074874a69b

SHA1
354b25a29532fd27d69e4721eb0a3356c2918233

SHA256
1cc7e39c3dec76ce3bbc3f85c89bdcf424b55a292c275b9aa3b56cb41e9cac14

SHA512
615f2ae8cce2247d0ee4b4c7f53c812bfad7b39075cde76da9b55bb953e78c045bb419bbf90fa6da1309e7462388c4e5bcb944d4a9225654b7026913ec3010a8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
c03e00c87643eb8a7003f8d4f316f07a

SHA1
aaa7c803c46cd29e2f3bf7e4fd175ab37c6a505f

SHA256
b26adbe1ce66ce56ca20e28d3e8c1bf6d810f8a7f3a1680760b7e16827a2f6e9

SHA512
fe378fea020670dee255cbafa3b7e97cab9ba0c7eef08083e7af5022515d073e932827a07caff9e2dee78fe765ea51f0ed2b8a601bf7febe353b472da674e14c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

MD5
2c79db77594f12be1d039cc64e90d8f6

SHA1
4824e269a0b4ff481f0809fbc8c0c871848f83a3

SHA256
a36f06f801e0e7a12b8fc1ff20b97b132b1944aabc8f55fc7e672db65ac37212

SHA512
7965ac06248dd76e294c39db44f1988ea646a6a34bec420662a582b5c166872bd110a95cf52c941b3f9cafb15682045a0873cd5538ef92326acf8fbcd6586b54

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

MD5
e8beb00fca65df8a41d5389a094dbfda

SHA1
f71715f19fba609620a099ff5b4b8d10af15aff4

SHA256
71681c761fbd78ab3af3dc6c86594e78d5e4744d889ce440c7f616f2a8b37a62

SHA512
c04f975347e59f055a6f4626dacbf985bf090a534d25e2d18fd3e9bb1d0f70865b1a0f2491f4a1769e3fdfa5733a7fcbfe8b08a20545e3709c0d69cc00e96988

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5
fc82037937e7a5064e0b3c16172e129d

SHA1
a339cfef02087fe72139dcaa4d690d725dc13518

SHA256
89d2b1f22a5a7035029e4f5bc50be4359e260c9a10f1bf7c8c6cda1c8d873345

SHA512
a41864750b767c4d581f441a25c035cb9d4f6d217535bfa4582f043fdab5b42012caea4c30d72fe85d666185347aecbadfffe5eb0b92fb8fa64fe789f2d8d2da

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

MD5
413aa90d1144a14c9312a94a5fe42a25

SHA1
a786ad9ffb2ec809bb2ef6756f74dc9f87022b46

SHA256
2226f2b024eef33476f2bb23e40ae745fc1bbf23c22b2e97a267cca8445d3684

SHA512
5fda83ea4ab9f3a2024c9dd37ba85950cd65649d3fa223866900353e170d2b23ca49c411dfb1c79934116f40a8768c456bbe5729ce87cfd21a8738fcfcc27397

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

MD5
cb2b15537d53ef529a584c1bc44746f5

SHA1
0349563f8ebe9fc3605b02a87ee1122903ee71ac

SHA256
25b5a3c6d48f19c0f34a5449deb2f91a17243f4ed25ece925e1ee379055dfd49

SHA512
b7d5486b6234280c6be7b22a90b7ced2338bdab3e1ec57f83b06dd50735f4557a277f6ac32a79e1fc0d696d88f21faee01f2d7814f4f508ad7a82afde6c6af9a

Download Submit
C:\MSOCache\RyukReadMe.txt

MD5
c03e00c87643eb8a7003f8d4f316f07a

SHA1
aaa7c803c46cd29e2f3bf7e4fd175ab37c6a505f

SHA256
b26adbe1ce66ce56ca20e28d3e8c1bf6d810f8a7f3a1680760b7e16827a2f6e9

SHA512
fe378fea020670dee255cbafa3b7e97cab9ba0c7eef08083e7af5022515d073e932827a07caff9e2dee78fe765ea51f0ed2b8a601bf7febe353b472da674e14c

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt

MD5
c03e00c87643eb8a7003f8d4f316f07a

SHA1
aaa7c803c46cd29e2f3bf7e4fd175ab37c6a505f

SHA256
b26adbe1ce66ce56ca20e28d3e8c1bf6d810f8a7f3a1680760b7e16827a2f6e9

SHA512
fe378fea020670dee255cbafa3b7e97cab9ba0c7eef08083e7af5022515d073e932827a07caff9e2dee78fe765ea51f0ed2b8a601bf7febe353b472da674e14c

Download Submit
C:\users\Public\PUBLIC

MD5
2520beadff142483ff0135d20f80ad5b

SHA1
fe7e6ff0a792fa110b74842f3e47a27a46b3d483

SHA256
db9e8fd9b31b60bde269bfd14ad1d7bd60c41fe3c8c893682e06808195dfaf85

SHA512
bf780c565e0a9bb533b804e8985ef58abaa70a80b1a0d6bcc53c570374d47ed980ebaf43a79730b23ff2b9f281e5f9241c5a298356b8029f47d8622dc4cc91ac

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE

MD5
9532ed8d551a4c09947d6b499a340802

SHA1
5b97021076eb27e4b2e512e4b034724818d84dec

SHA256
ff4fe2e5350398f34540548cdcc373e8777e4c28470424d84010ddfa2061eacf

SHA512
8aeaad79662a9c4ce4c77b2799ebaa5b74eba1a1d283ad6088cf09d5f8ab28b395e5810f6c89ebcd09c3896d70454468ca9206738db97c87ce5c6d8416259ecf

Download Submit
memory/1220-56-0x0000000030000000-0x000000003002A000-memory.dmp

Filesize
168KB

Download
memory/1264-63-0x0000000030000000-0x000000003002A000-memory.dmp

Filesize
168KB

Download
memory/1400-77-0x0000000030000000-0x000000003002A000-memory.dmp

Filesize
168KB

Download
memory/1668-55-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download