bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa

Analysis

max time kernel
72s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe
Size

170KB
MD5

233fba8087f9d4562d87cb80fe733eae
SHA1

f1605281470dd007c5b91429ca7093ec031e4e0c
SHA256

bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa
SHA512

729d6273d2fa7dee2d9f515f07e42f7afecb8a1f7eb469afe8723c30569e2a38ebb2fb93d43db2dc3c549dbbc7df901b78cf6dc683082544274c321d5e92a387

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 44 IoCs

evasion

pid	Process
3684	taskkill.exe
3828	taskkill.exe
3908	taskkill.exe
2076	taskkill.exe
3532	taskkill.exe
3536	taskkill.exe
4216	taskkill.exe
3112	taskkill.exe
4924	taskkill.exe
2596	taskkill.exe
3996	taskkill.exe
1272	taskkill.exe
1924	taskkill.exe
3176	taskkill.exe
1864	taskkill.exe
5176	taskkill.exe
1772	taskkill.exe
1196	taskkill.exe
4168	taskkill.exe
4732	taskkill.exe
5008	taskkill.exe
4112	taskkill.exe
1536	taskkill.exe
1432	taskkill.exe
1712	taskkill.exe
2976	taskkill.exe
1988	taskkill.exe
3768	taskkill.exe
3104	taskkill.exe
4236	taskkill.exe
1968	taskkill.exe
4368	taskkill.exe
1704	taskkill.exe
3916	taskkill.exe
1080	taskkill.exe
4792	taskkill.exe
2448	taskkill.exe
3720	taskkill.exe
64	taskkill.exe
4148	taskkill.exe
1096	taskkill.exe
2644	taskkill.exe
3632	taskkill.exe
5136	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe
4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	4368	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	4236	taskkill.exe
Token: SeDebugPrivilege	3996	taskkill.exe
Token: SeDebugPrivilege	64	taskkill.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	5136	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	3104	taskkill.exe
Token: SeDebugPrivilege	5176	taskkill.exe
Token: SeDebugPrivilege	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4368	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	83
PID 4912 wrote to memory of 4368	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	83
PID 4912 wrote to memory of 2076	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	85
PID 4912 wrote to memory of 2076	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	85
PID 4912 wrote to memory of 4732	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	87
PID 4912 wrote to memory of 4732	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	87
PID 4912 wrote to memory of 3112	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	89
PID 4912 wrote to memory of 3112	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	89
PID 4912 wrote to memory of 1924	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	91
PID 4912 wrote to memory of 1924	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	91
PID 4912 wrote to memory of 1704	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	93
PID 4912 wrote to memory of 1704	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	93
PID 4912 wrote to memory of 3916	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	95
PID 4912 wrote to memory of 3916	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	95
PID 4912 wrote to memory of 3532	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	97
PID 4912 wrote to memory of 3532	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	97
PID 4912 wrote to memory of 3536	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	99
PID 4912 wrote to memory of 3536	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	99
PID 4912 wrote to memory of 1988	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	101
PID 4912 wrote to memory of 1988	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	101
PID 4912 wrote to memory of 3768	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	103
PID 4912 wrote to memory of 3768	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	103
PID 4912 wrote to memory of 5008	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	105
PID 4912 wrote to memory of 5008	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	105
PID 4912 wrote to memory of 4924	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	107
PID 4912 wrote to memory of 4924	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	107
PID 4912 wrote to memory of 4112	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	109
PID 4912 wrote to memory of 4112	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	109
PID 4912 wrote to memory of 3176	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	111
PID 4912 wrote to memory of 3176	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	111
PID 4912 wrote to memory of 3104	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	113
PID 4912 wrote to memory of 3104	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	113
PID 4912 wrote to memory of 1864	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	115
PID 4912 wrote to memory of 1864	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	115
PID 4912 wrote to memory of 1096	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	117
PID 4912 wrote to memory of 1096	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	117
PID 4912 wrote to memory of 1772	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	119
PID 4912 wrote to memory of 1772	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	119
PID 4912 wrote to memory of 1432	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	121
PID 4912 wrote to memory of 1432	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	121
PID 4912 wrote to memory of 2596	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	123
PID 4912 wrote to memory of 2596	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	123
PID 4912 wrote to memory of 2644	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	125
PID 4912 wrote to memory of 2644	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	125
PID 4912 wrote to memory of 4216	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	127
PID 4912 wrote to memory of 4216	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	127
PID 4912 wrote to memory of 3632	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	129
PID 4912 wrote to memory of 3632	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	129
PID 4912 wrote to memory of 4792	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	131
PID 4912 wrote to memory of 4792	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	131
PID 4912 wrote to memory of 2448	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	133
PID 4912 wrote to memory of 2448	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	133
PID 4912 wrote to memory of 1712	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	135
PID 4912 wrote to memory of 1712	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	135
PID 4912 wrote to memory of 3720	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	137
PID 4912 wrote to memory of 3720	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	137
PID 4912 wrote to memory of 2976	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	139
PID 4912 wrote to memory of 2976	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	139
PID 4912 wrote to memory of 4236	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	141
PID 4912 wrote to memory of 4236	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	141
PID 4912 wrote to memory of 3684	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	143
PID 4912 wrote to memory of 3684	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	143
PID 4912 wrote to memory of 1196	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	145
PID 4912 wrote to memory of 1196	4912	bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe	145

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2972

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2432

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe
"C:\Users\Admin\AppData\Local\Temp\bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3684
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:64
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3908
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5136
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5176
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
  2⤵
  PID:5304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:5644
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
  2⤵
  PID:5332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:5764
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
  2⤵
  PID:5964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:5348
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
  2⤵
  PID:6140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:6228
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
  2⤵
  PID:4116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:6296
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
  2⤵
  PID:5372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:6396
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
  2⤵
  PID:5368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:6616
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
  2⤵
  PID:6160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:6660
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
  2⤵
  PID:6200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:6744
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
  2⤵
  PID:6264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:6796
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
  2⤵
  PID:6344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:7004
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
  2⤵
  PID:6432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:7132
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
  2⤵
  PID:6508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:7092
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
  2⤵
  PID:6596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:7164
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
  2⤵
  PID:6672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:5648
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
  2⤵
  PID:6764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:6300
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
  2⤵
  PID:6724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    PID:5396
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:6844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:5620
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcronisAgent /y
  2⤵
  PID:6912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:6800
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Antivirus /y
  2⤵
  PID:7056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:5528
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
  2⤵
  PID:6972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:6796
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ARSM /y
  2⤵
  PID:7116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:7240
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:6188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:7304
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:7328
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:6116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:7480
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:7492
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:7212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:7736
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
  2⤵
  PID:6480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:7652
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
  2⤵
  PID:6772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:7572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6480
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop bedbg /y
  2⤵
  PID:7284
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:7752
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop DCAgent /y
  2⤵
  PID:7360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:7924
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPSecurityService /y
  2⤵
  PID:7424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:7896
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EPUpdateService /y
  2⤵
  PID:7532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:8004
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
  2⤵
  PID:7664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:8132
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EsgShKernel /y
  2⤵
  PID:7712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:8160
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop FA_Scheduler /y
  2⤵
  PID:7780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:8168
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IISAdmin /y
  2⤵
  PID:7852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:6208
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop IMAP4Svc /y
  2⤵
  PID:7904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IMAP4Svc /y
    3⤵
    PID:7300
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop macmnsvc /y
  2⤵
  PID:7984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:6416
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop masvc /y
  2⤵
  PID:8112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:5964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBAMService /y
  2⤵
  PID:8180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:5400
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
  2⤵
  PID:6244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:7724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
  2⤵
  PID:6608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:7076
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFramework /y
  2⤵
  PID:5752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:6704
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:6992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:6928
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McShield /y
  2⤵
  PID:7020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:6456
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop McTaskManager /y
  2⤵
  PID:6192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:6884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfemms /y
  2⤵
  PID:6668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:6260
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfevtp /y
  2⤵
  PID:6832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:7040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MMS /y
  2⤵
  PID:6972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:6952
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mozyprobackup /y
  2⤵
  PID:4452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:5304
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer /y
  2⤵
  PID:8036
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:7344
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
  2⤵
  PID:6604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:7720
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
  2⤵
  PID:6896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer110 /y
    3⤵
    PID:7920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5368
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeES /y
  2⤵
  PID:7624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:7560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS /y
  2⤵
  PID:6652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS /y
    3⤵
    PID:7188
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:4872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMGMT /y
    3⤵
    PID:7368
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
  2⤵
  PID:6028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:7252
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA /y
  2⤵
  PID:4116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:7668
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:7236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:6236
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
  2⤵
  PID:6772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:8040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:8136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:8124
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:7316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:7500
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:7380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:7272
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:6700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:8184
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:7800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:7248
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:7556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:8060
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:6492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:6308
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:6608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:7148
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:7892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:5636
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:8072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:8148
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:7296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:5520
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:7960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:6436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
  2⤵
  PID:5588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:5436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:5616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:7724
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    PID:7996
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:6756
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:7160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:7672
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
  2⤵
  PID:5532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher /y
    3⤵
    PID:3416
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:5968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:6812
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:6900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:5320
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:6596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:7640
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:5452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:7812
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:6188
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:6732
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:6148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:6940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:6968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:7120
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
  2⤵
  PID:7104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:6652
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:4452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:7348
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:6156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:7368
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL80 /y
  2⤵
  PID:7536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:6504
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MySQL57 /y
  2⤵
  PID:7188
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:7252
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ntrtscan /y
  2⤵
  PID:4116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:7472
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
  2⤵
  PID:7772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:8004
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop PDVFSService /y
  2⤵
  PID:7808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:7236
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop POP3Svc /y
  2⤵
  PID:6200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop POP3Svc /y
    3⤵
    PID:6208
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer /y
  2⤵
  PID:4180
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer /y
    3⤵
    PID:7340
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:7268
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:8168
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:7404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:6676
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
  2⤵
  PID:7852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:8060
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:7380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:8068
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop RESvc /y
  2⤵
  PID:7924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:7692
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SamSs /y
  2⤵
  PID:6944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SamSs /y
    3⤵
    PID:7992
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVAdminService /y
  2⤵
  PID:6492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:3792
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sacsvr /y
  2⤵
  PID:7932
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:7904
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SAVService /y
  2⤵
  PID:5996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:6848
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SDRSVC /y
  2⤵
  PID:2408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:5536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SepMasterService /y
  2⤵
  PID:5520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:5492
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ShMonitor /y
  2⤵
  PID:5424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:3068
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop Smcinst /y
  2⤵
  PID:7724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:5572
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SmcService /y
  2⤵
  PID:6436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:6188
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SMTPSvc /y
  2⤵
  PID:5552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SMTPSvc /y
    3⤵
    PID:7128
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SNAC /y
  2⤵
  PID:5516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SNAC /y
    3⤵
    PID:7720
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SntpService /y
  2⤵
  PID:7040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:5372
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop sophossps /y
  2⤵
  PID:6632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:7388
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:7564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:5304
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:6752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:7480
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:7240
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:5644
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:6900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:6028
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:6792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:7468
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:6832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:8092
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:4452
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:8164
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:7156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:5400
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:8128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:7340
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:7576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:8084
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:5312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:7844
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:6700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:7520
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:7440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:5596
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser /y
  2⤵
  PID:7872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:7532
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:8176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:6688
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:7408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:7852
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:5712
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:4820
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:8136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:7768
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter /y
  2⤵
  PID:6160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:5536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SstpSvc /y
  2⤵
  PID:7800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SstpSvc /y
    3⤵
    PID:7764
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop svcGenericHost /y
  2⤵
  PID:5884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:7164
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_filter /y
  2⤵
  PID:7504
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:7892
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_service /y
  2⤵
  PID:7976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:6992
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_update_64 /y
  2⤵
  PID:6656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:7196
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TmCCSF /y
  2⤵
  PID:7376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:5580
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop tmlisten /y
  2⤵
  PID:6756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:7372
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKey /y
  2⤵
  PID:6908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:7592
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:6456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:6304
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:6288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:6616
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop UI0Detect /y
  2⤵
  PID:3068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:6832
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:7328
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:5372
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:5588
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:6772
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:5352
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:6148
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:7424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:6244
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:7444
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:6900
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:6940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:5056
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:5308
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:7716
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:6116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:6744
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop W3Svc /y
  2⤵
  PID:6684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:6212
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7344
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop wbengine /y
  2⤵
  PID:7760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:6420
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop WRSVC /y
  2⤵
  PID:6236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:8096
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6700
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:7436
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4180
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:5144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:7464
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop swi_update /y
  2⤵
  PID:7576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:8168
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:7984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:6436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:5436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:5520
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:7540
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
  2⤵
  PID:7124
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    PID:7116
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:3792
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:5884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:6872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:7372
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop msftesql$PROD /y
  2⤵
  PID:7284
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msftesql$PROD /y
    3⤵
    PID:7240
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
  2⤵
  PID:7920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:7740
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
  2⤵
  PID:6492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetMsmqActivator /y
    3⤵
    PID:6292
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop EhttpSrv /y
  2⤵
  PID:7884
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:6604
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:5600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:7304
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ESHASRV /y
  2⤵
  PID:7208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:7788
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop ekrn /y
  2⤵
  PID:7064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:3728
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "SQL Backups" /y
  2⤵
  PID:5616
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:1936
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5468
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
  2⤵
  PID:6536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:4372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:8116
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop AVP /y
  2⤵
  PID:3068
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:6968
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop klnagent /y
  2⤵
  PID:5300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:6032
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:6400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:6312
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:5620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:5644
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop wbengine /y
  2⤵
  PID:7364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:6516
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop kavfsslp /y
  2⤵
  PID:560
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:7640
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop KAVFSGT /y
  2⤵
  PID:7776
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:3272
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop KAVFS /y
  2⤵
  PID:6680
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:6924
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop mfefire /y
  2⤵
  PID:7712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:6752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe" /f
  2⤵
  PID:7948
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bac0152c0f9f780d7038fbcab4371859c9e920149c6f5bcc9bfc5a53c9d10caa.exe" /f
    3⤵
    PID:8124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:7044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:6512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:5492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:6928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2336-130-0x00007FF6985D0000-0x00007FF698605000-memory.dmp

Filesize
212KB

Download