8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736

Analysis

max time kernel
170s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
Size

136KB
MD5

61f3e072c19f758359d18d5e8f757630
SHA1

40665226308f95a4e297ccd1bc63e2b6e1337d6b
SHA256

8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736
SHA512

2302205f21afe80a4fd2027acb5faebf18ca6b5cc0f59581e6664877ca886ef4b0d3112aeefa6f76c7876c4db9536dd57a221ba80376b4b201e7729a5d639d6c

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 44 IoCs

evasion

pid	Process
3472	taskkill.exe
1756	taskkill.exe
3904	taskkill.exe
2400	taskkill.exe
2800	taskkill.exe
1652	taskkill.exe
2308	taskkill.exe
2740	taskkill.exe
3856	taskkill.exe
1976	taskkill.exe
1980	taskkill.exe
2968	taskkill.exe
3108	taskkill.exe
3352	taskkill.exe
1404	taskkill.exe
3948	taskkill.exe
1568	taskkill.exe
3484	taskkill.exe
712	taskkill.exe
3020	taskkill.exe
3376	taskkill.exe
3500	taskkill.exe
2196	taskkill.exe
1284	taskkill.exe
1504	taskkill.exe
3064	taskkill.exe
2656	taskkill.exe
2100	taskkill.exe
3096	taskkill.exe
448	taskkill.exe
2624	taskkill.exe
1260	taskkill.exe
1016	taskkill.exe
1272	taskkill.exe
396	taskkill.exe
788	taskkill.exe
2608	taskkill.exe
1448	taskkill.exe
3612	taskkill.exe
3832	taskkill.exe
1288	taskkill.exe
212	taskkill.exe
1476	taskkill.exe
3724	taskkill.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1272	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	77
PID 2268 wrote to memory of 1272	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	77
PID 2268 wrote to memory of 1272	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	77
PID 2268 wrote to memory of 2308	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	78
PID 2268 wrote to memory of 2308	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	78
PID 2268 wrote to memory of 2308	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	78
PID 2268 wrote to memory of 1404	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	79
PID 2268 wrote to memory of 1404	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	79
PID 2268 wrote to memory of 1404	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	79
PID 2268 wrote to memory of 3948	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	80
PID 2268 wrote to memory of 3948	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	80
PID 2268 wrote to memory of 3948	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	80
PID 2268 wrote to memory of 212	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	81
PID 2268 wrote to memory of 212	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	81
PID 2268 wrote to memory of 212	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	81
PID 2268 wrote to memory of 1568	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	82
PID 2268 wrote to memory of 1568	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	82
PID 2268 wrote to memory of 1568	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	82
PID 2268 wrote to memory of 1476	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	83
PID 2268 wrote to memory of 1476	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	83
PID 2268 wrote to memory of 1476	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	83
PID 2268 wrote to memory of 1448	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	84
PID 2268 wrote to memory of 1448	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	84
PID 2268 wrote to memory of 1448	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	84
PID 2268 wrote to memory of 3376	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	85
PID 2268 wrote to memory of 3376	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	85
PID 2268 wrote to memory of 3376	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	85
PID 2268 wrote to memory of 3500	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	86
PID 2268 wrote to memory of 3500	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	86
PID 2268 wrote to memory of 3500	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	86
PID 2268 wrote to memory of 396	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	87
PID 2268 wrote to memory of 396	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	87
PID 2268 wrote to memory of 396	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	87
PID 2268 wrote to memory of 788	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	88
PID 2268 wrote to memory of 788	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	88
PID 2268 wrote to memory of 788	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	88
PID 2268 wrote to memory of 3096	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	89
PID 2268 wrote to memory of 3096	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	89
PID 2268 wrote to memory of 3096	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	89
PID 2268 wrote to memory of 2740	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	90
PID 2268 wrote to memory of 2740	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	90
PID 2268 wrote to memory of 2740	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	90
PID 2268 wrote to memory of 1756	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	91
PID 2268 wrote to memory of 1756	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	91
PID 2268 wrote to memory of 1756	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	91
PID 2268 wrote to memory of 3064	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	92
PID 2268 wrote to memory of 3064	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	92
PID 2268 wrote to memory of 3064	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	92
PID 2268 wrote to memory of 1976	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	93
PID 2268 wrote to memory of 1976	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	93
PID 2268 wrote to memory of 1976	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	93
PID 2268 wrote to memory of 3904	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	94
PID 2268 wrote to memory of 3904	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	94
PID 2268 wrote to memory of 3904	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	94
PID 2268 wrote to memory of 448	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	95
PID 2268 wrote to memory of 448	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	95
PID 2268 wrote to memory of 448	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	95
PID 2268 wrote to memory of 2196	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	96
PID 2268 wrote to memory of 2196	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	96
PID 2268 wrote to memory of 2196	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	96
PID 2268 wrote to memory of 3856	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	97
PID 2268 wrote to memory of 3856	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	97
PID 2268 wrote to memory of 3856	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	97
PID 2268 wrote to memory of 2624	2268	8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe	98

C:\Users\Admin\AppData\Local\Temp\8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe
"C:\Users\Admin\AppData\Local\Temp\8ce02ae8466375b1e5ee47e6b8c4e0b5f3dbb1b0493ba7012b3662b00cbfb736.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:1272
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:2308
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:1404
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:3948
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:212
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:1568
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1476
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:1448
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:3376
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:3500
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:396
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:788
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:3096
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:2740
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:1756
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:3064
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1976
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:3904
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:448
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:2196
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:3856
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:2624
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:1980
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:3724
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:2800
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:1260
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:2968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:2656
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:2400
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:1288
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:712
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:3020
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:2100
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:1284
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1016
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:3612
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:1504
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:1652
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:2608
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:3108
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:3352
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:3484
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:3832
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:3472
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
  2⤵
  PID:4328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:9120
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
  2⤵
  PID:4400
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:8752
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:8664
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
  2⤵
  PID:4472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:8968
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:8516
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
  2⤵
  PID:4580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:9128
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
  2⤵
  PID:4916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:9144
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
  2⤵
  PID:4952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:8856
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
  2⤵
  PID:4992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:8912
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:8636
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:8596
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:9040
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:8684
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
  2⤵
  PID:5132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:8864
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
  2⤵
  PID:5248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:8832
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
  2⤵
  PID:5328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    PID:9160
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
  2⤵
  PID:5372
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:8880
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:5456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:8960
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop AcronisAgent /y
  2⤵
  PID:5584
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:8760
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:8644
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop Antivirus /y
  2⤵
  PID:5668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:8976
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ARSM /y
  2⤵
  PID:6112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:8692
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:8676
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:8888
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:6128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:8952
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:6180
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:8776
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
  2⤵
  PID:6220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:8572
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
  2⤵
  PID:6268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:8500
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:6308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:8872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop bedbg /y
  2⤵
  PID:6360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:8588
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop DCAgent /y
  2⤵
  PID:6420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:8612
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop EPSecurityService /y
  2⤵
  PID:6456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:8548
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop EPUpdateService /y
  2⤵
  PID:6508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:8984
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
  2⤵
  PID:6536
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:8740
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop EsgShKernel /y
  2⤵
  PID:6596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:8936
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop FA_Scheduler /y
  2⤵
  PID:6668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:8660
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISAdmin /y
  2⤵
  PID:6700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:9112
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IMAP4Svc /y
  2⤵
  PID:6748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IMAP4Svc /y
    3⤵
    PID:8524
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop macmnsvc /y
  2⤵
  PID:6788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:9068
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop masvc /y
  2⤵
  PID:6828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:8896
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MBAMService /y
  2⤵
  PID:6884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:9168
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
  2⤵
  PID:6944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:8848
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
  2⤵
  PID:7008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:8604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFramework /y
  2⤵
  PID:7044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:8768
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:7080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:9104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop McShield /y
  2⤵
  PID:7136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:8840
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop McTaskManager /y
  2⤵
  PID:6332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:8532
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mfemms /y
  2⤵
  PID:6516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:9008
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mfevtp /y
  2⤵
  PID:6900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:8652
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MMS /y
  2⤵
  PID:7088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:9152
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mozyprobackup /y
  2⤵
  PID:7200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:9000
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer /y
  2⤵
  PID:7244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:8800
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
  2⤵
  PID:7280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:8580
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
  2⤵
  PID:7316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer110 /y
    3⤵
    PID:9060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeES /y
  2⤵
  PID:7340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:8508
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS /y
  2⤵
  PID:7388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS /y
    3⤵
    PID:9092
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:7408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMGMT /y
    3⤵
    PID:9076
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
  2⤵
  PID:7436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:8928
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA /y
  2⤵
  PID:7468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:8732
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
  2⤵
  PID:7488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:9032
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:7524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:8816
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:7544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:8944
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:7568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:8992
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:7608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:8620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:7644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:8628
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:7688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:8716
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:7700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:8920
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:7748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:8904
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:7940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:9016
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:7980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:8724
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:8000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:8824
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:8032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:8780
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:8188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:8540
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
  2⤵
  PID:7632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:8808
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:7684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:9084
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:9024
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:3592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:8556
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
  2⤵
  PID:8048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher /y
    3⤵
    PID:8700
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:7404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:9136
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:7220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:8792
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:7948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:8564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:8316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:9208
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:8360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:9660
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:8384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:9924
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:8444
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
  2⤵
  PID:8488
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:9048
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:9228
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MySQL80 /y
  2⤵
  PID:10028
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MySQL57 /y
  2⤵
  PID:9180
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ntrtscan /y
  2⤵
  PID:10248
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
  2⤵
  PID:10260
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop PDVFSService /y
  2⤵
  PID:10272
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop POP3Svc /y
  2⤵
  PID:10284
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer /y
  2⤵
  PID:10296
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:10308
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:10384
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
  2⤵
  PID:10396

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads