buran | 13f476ec8dba856b93c2b799dbf9994191d14e9dbc2c6d75c9ec3d8054144b3f

Analysis

max time kernel
151s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-06-2022 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c3-malwarexchg-part3/1.exe
Size

477KB
MD5

a1b5dc4fd2cd2b54498faf42fe9b5e50
SHA1

46edeab30fe0696422edad230116c51d5b145aa3
SHA256

533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21
SHA512

6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Score

10^/10

buran evasion persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 4C2-345-092 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
1472	wevtutil.exe
2008	wevtutil.exe
2596	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
4240	StartMenuExperienceHost.exe
3896	StartMenuExperienceHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\" -start"	1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	StartMenuExperienceHost.exe
File opened (read-only)	\??\X:	StartMenuExperienceHost.exe
File opened (read-only)	\??\V:	StartMenuExperienceHost.exe
File opened (read-only)	\??\T:	StartMenuExperienceHost.exe
File opened (read-only)	\??\R:	StartMenuExperienceHost.exe
File opened (read-only)	\??\Q:	StartMenuExperienceHost.exe
File opened (read-only)	\??\O:	StartMenuExperienceHost.exe
File opened (read-only)	\??\I:	StartMenuExperienceHost.exe
File opened (read-only)	\??\B:	StartMenuExperienceHost.exe
File opened (read-only)	\??\A:	StartMenuExperienceHost.exe
File opened (read-only)	\??\Y:	StartMenuExperienceHost.exe
File opened (read-only)	\??\G:	StartMenuExperienceHost.exe
File opened (read-only)	\??\E:	StartMenuExperienceHost.exe
File opened (read-only)	\??\W:	StartMenuExperienceHost.exe
File opened (read-only)	\??\S:	StartMenuExperienceHost.exe
File opened (read-only)	\??\P:	StartMenuExperienceHost.exe
File opened (read-only)	\??\N:	StartMenuExperienceHost.exe
File opened (read-only)	\??\M:	StartMenuExperienceHost.exe
File opened (read-only)	\??\J:	StartMenuExperienceHost.exe
File opened (read-only)	\??\F:	StartMenuExperienceHost.exe
File opened (read-only)	\??\U:	StartMenuExperienceHost.exe
File opened (read-only)	\??\L:	StartMenuExperienceHost.exe
File opened (read-only)	\??\K:	StartMenuExperienceHost.exe
File opened (read-only)	\??\H:	StartMenuExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-125.png	StartMenuExperienceHost.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated_contrast-black.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-256.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\View3d\3DViewerProductDescription-universal.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\3DViewerProductDescription-universal.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-400_contrast-black.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_lv.json	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-colorize.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-lightunplated.png	StartMenuExperienceHost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteSmallTile.scale-100.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\iadata\BlockPair.bin	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-125.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-lightunplated.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-72.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64.png	StartMenuExperienceHost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W2.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-white.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-200.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-100.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_ja.jar.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\PREVIEW.GIF.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalStoreLogo.scale-200.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-125.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-200.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-black.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK.winmd	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-unplated_contrast-white.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.4C2-345-092	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png	StartMenuExperienceHost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\ui-strings.js	StartMenuExperienceHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js.4C2-345-092	StartMenuExperienceHost.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3060	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
312	1.exe
312	1.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	312	1.exe
Token: SeDebugPrivilege	312	1.exe
Token: SeDebugPrivilege	4240	StartMenuExperienceHost.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe
Token: SeSystemProfilePrivilege	4156	WMIC.exe
Token: SeSystemtimePrivilege	4156	WMIC.exe
Token: SeProfSingleProcessPrivilege	4156	WMIC.exe
Token: SeIncBasePriorityPrivilege	4156	WMIC.exe
Token: SeCreatePagefilePrivilege	4156	WMIC.exe
Token: SeBackupPrivilege	4156	WMIC.exe
Token: SeRestorePrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4156	WMIC.exe
Token: SeRemoteShutdownPrivilege	4156	WMIC.exe
Token: SeUndockPrivilege	4156	WMIC.exe
Token: SeManageVolumePrivilege	4156	WMIC.exe
Token: 33	4156	WMIC.exe
Token: 34	4156	WMIC.exe
Token: 35	4156	WMIC.exe
Token: 36	4156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe
Token: SeSystemProfilePrivilege	4156	WMIC.exe
Token: SeSystemtimePrivilege	4156	WMIC.exe
Token: SeProfSingleProcessPrivilege	4156	WMIC.exe
Token: SeIncBasePriorityPrivilege	4156	WMIC.exe
Token: SeCreatePagefilePrivilege	4156	WMIC.exe
Token: SeBackupPrivilege	4156	WMIC.exe
Token: SeRestorePrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4156	WMIC.exe
Token: SeRemoteShutdownPrivilege	4156	WMIC.exe
Token: SeUndockPrivilege	4156	WMIC.exe
Token: SeManageVolumePrivilege	4156	WMIC.exe
Token: 33	4156	WMIC.exe
Token: 34	4156	WMIC.exe
Token: 35	4156	WMIC.exe
Token: 36	4156	WMIC.exe
Token: SeBackupPrivilege	5032	vssvc.exe
Token: SeRestorePrivilege	5032	vssvc.exe
Token: SeAuditPrivilege	5032	vssvc.exe
Token: SeSecurityPrivilege	2008	wevtutil.exe
Token: SeBackupPrivilege	2008	wevtutil.exe
Token: SeSecurityPrivilege	2596	wevtutil.exe
Token: SeBackupPrivilege	2596	wevtutil.exe
Token: SeSecurityPrivilege	1472	wevtutil.exe
Token: SeBackupPrivilege	1472	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 4240	312	1.exe	79
PID 312 wrote to memory of 4240	312	1.exe	79
PID 312 wrote to memory of 4240	312	1.exe	79
PID 312 wrote to memory of 1920	312	1.exe	80
PID 312 wrote to memory of 1920	312	1.exe	80
PID 312 wrote to memory of 1920	312	1.exe	80
PID 312 wrote to memory of 1920	312	1.exe	80
PID 312 wrote to memory of 1920	312	1.exe	80
PID 312 wrote to memory of 1920	312	1.exe	80
PID 4240 wrote to memory of 3896	4240	StartMenuExperienceHost.exe	88
PID 4240 wrote to memory of 3896	4240	StartMenuExperienceHost.exe	88
PID 4240 wrote to memory of 3896	4240	StartMenuExperienceHost.exe	88
PID 4240 wrote to memory of 540	4240	StartMenuExperienceHost.exe	89
PID 4240 wrote to memory of 540	4240	StartMenuExperienceHost.exe	89
PID 4240 wrote to memory of 540	4240	StartMenuExperienceHost.exe	89
PID 540 wrote to memory of 2176	540	cmd.exe	91
PID 540 wrote to memory of 2176	540	cmd.exe	91
PID 540 wrote to memory of 2176	540	cmd.exe	91
PID 2176 wrote to memory of 4716	2176	net.exe	92
PID 2176 wrote to memory of 4716	2176	net.exe	92
PID 2176 wrote to memory of 4716	2176	net.exe	92
PID 4240 wrote to memory of 1384	4240	StartMenuExperienceHost.exe	93
PID 4240 wrote to memory of 1384	4240	StartMenuExperienceHost.exe	93
PID 4240 wrote to memory of 1384	4240	StartMenuExperienceHost.exe	93
PID 1384 wrote to memory of 4656	1384	cmd.exe	95
PID 1384 wrote to memory of 4656	1384	cmd.exe	95
PID 1384 wrote to memory of 4656	1384	cmd.exe	95
PID 4656 wrote to memory of 4604	4656	net.exe	96
PID 4656 wrote to memory of 4604	4656	net.exe	96
PID 4656 wrote to memory of 4604	4656	net.exe	96
PID 4240 wrote to memory of 1432	4240	StartMenuExperienceHost.exe	97
PID 4240 wrote to memory of 1432	4240	StartMenuExperienceHost.exe	97
PID 4240 wrote to memory of 1432	4240	StartMenuExperienceHost.exe	97
PID 1432 wrote to memory of 4348	1432	cmd.exe	99
PID 1432 wrote to memory of 4348	1432	cmd.exe	99
PID 1432 wrote to memory of 4348	1432	cmd.exe	99
PID 4348 wrote to memory of 4992	4348	net.exe	100
PID 4348 wrote to memory of 4992	4348	net.exe	100
PID 4348 wrote to memory of 4992	4348	net.exe	100
PID 4240 wrote to memory of 868	4240	StartMenuExperienceHost.exe	101
PID 4240 wrote to memory of 868	4240	StartMenuExperienceHost.exe	101
PID 4240 wrote to memory of 868	4240	StartMenuExperienceHost.exe	101
PID 868 wrote to memory of 760	868	cmd.exe	103
PID 868 wrote to memory of 760	868	cmd.exe	103
PID 868 wrote to memory of 760	868	cmd.exe	103
PID 760 wrote to memory of 1124	760	net.exe	104
PID 760 wrote to memory of 1124	760	net.exe	104
PID 760 wrote to memory of 1124	760	net.exe	104
PID 4240 wrote to memory of 3540	4240	StartMenuExperienceHost.exe	105
PID 4240 wrote to memory of 3540	4240	StartMenuExperienceHost.exe	105
PID 4240 wrote to memory of 3540	4240	StartMenuExperienceHost.exe	105
PID 3540 wrote to memory of 3344	3540	cmd.exe	107
PID 3540 wrote to memory of 3344	3540	cmd.exe	107
PID 3540 wrote to memory of 3344	3540	cmd.exe	107
PID 3344 wrote to memory of 924	3344	net.exe	108
PID 3344 wrote to memory of 924	3344	net.exe	108
PID 3344 wrote to memory of 924	3344	net.exe	108
PID 4240 wrote to memory of 1020	4240	StartMenuExperienceHost.exe	109
PID 4240 wrote to memory of 1020	4240	StartMenuExperienceHost.exe	109
PID 4240 wrote to memory of 1020	4240	StartMenuExperienceHost.exe	109
PID 1020 wrote to memory of 1524	1020	cmd.exe	111
PID 1020 wrote to memory of 1524	1020	cmd.exe	111
PID 1020 wrote to memory of 1524	1020	cmd.exe	111
PID 1524 wrote to memory of 2216	1524	net.exe	112

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\1.exe
"C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Acronis VSS Provider" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\net.exe
      net stop "Acronis VSS Provider" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
        5⤵
        
        PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Enterprise Client Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Windows\SysWOW64\net.exe
      net stop "Enterprise Client Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Enterprise Client Service" /y
        5⤵
        
        PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "SQL Backups" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQL Backups" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQL Backups" /y
        5⤵
        
        PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "SQLsafe Backup Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Backup Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
        5⤵
        
        PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "SQLsafe Filter Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Filter Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3344
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
        5⤵
        
        PID:924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Agent" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Agent" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Agent" /y
        5⤵
        
        PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos AutoUpdate Service" /y
      4⤵
      PID:3152
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
        5⤵
        
        PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Clean Service" /y
    3⤵
    PID:3932
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Clean Service" /y
      4⤵
      PID:4376
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Clean Service" /y
        5⤵
        
        PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Device Control Service" /y
    3⤵
    PID:2012
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Device Control Service" /y
      4⤵
      PID:2440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
        5⤵
        
        PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos File Scanner Service" /y
    3⤵
    PID:4752
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos File Scanner Service" /y
      4⤵
      PID:2196
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
        5⤵
        
        PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Health Service" /y
    3⤵
    PID:4040
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Health Service" /y
      4⤵
      PID:1132
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Health Service" /y
        5⤵
        
        PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos MCS Agent" /y
    3⤵
    PID:3212
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos MCS Agent" /y
      4⤵
      PID:628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
        5⤵
        
        PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos MCS Client" /y
    3⤵
    PID:4736
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos MCS Client" /y
      4⤵
      PID:2708
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Client" /y
        5⤵
        
        PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Message Router" /y
    3⤵
    PID:912
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Message Router" /y
      4⤵
      PID:3968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Message Router" /y
        5⤵
        
        PID:3396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Safestore Service" /y
    3⤵
    PID:1452
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Safestore Service" /y
      4⤵
      PID:4192
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
        5⤵
        
        PID:3476
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos System Protection Service" /y
    3⤵
    PID:456
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos System Protection Service" /y
      4⤵
      PID:3720
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
        5⤵
        
        PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Sophos Web Control Service" /y
    3⤵
    PID:4472
  - - C:\Windows\SysWOW64\net.exe
      net stop "Sophos Web Control Service" /y
      4⤵
      PID:4900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
        5⤵
        
        PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Symantec System Recovery" /y
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\net.exe
      net stop "Symantec System Recovery" /y
      4⤵
      PID:4544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Symantec System Recovery" /y
        5⤵
        
        PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:1580
  - - C:\Windows\SysWOW64\net.exe
      net stop "Veeam Backup Catalog Data Service" /y
      4⤵
      PID:2188
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
        5⤵
        
        PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop "Zoolz 2 Service" /y
    3⤵
    PID:3772
  - - C:\Windows\SysWOW64\net.exe
      net stop "Zoolz 2 Service" /y
      4⤵
      PID:1136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
        5⤵
        
        PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ARSM /y
    3⤵
    PID:3552
  - - C:\Windows\SysWOW64\net.exe
      net stop ARSM /y
      4⤵
      PID:5060
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ARSM /y
        5⤵
        
        PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop AVP /y
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\net.exe
      net stop AVP /y
      4⤵
      PID:4416
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AVP /y
        5⤵
        
        PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop AcrSch2Svc /y
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\net.exe
      net stop AcrSch2Svc /y
      4⤵
      PID:5116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AcrSch2Svc /y
        5⤵
        
        PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop AcronisAgent /y
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\net.exe
      net stop AcronisAgent /y
      4⤵
      PID:2892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AcronisAgent /y
        5⤵
        
        PID:852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop Antivirus /y
    3⤵
    PID:1320
  - - C:\Windows\SysWOW64\net.exe
      net stop Antivirus /y
      4⤵
      PID:2256
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Antivirus /y
        5⤵
        
        PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecAgentAccelerator /y
    3⤵
    PID:5064
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecAgentAccelerator /y
      4⤵
      PID:4116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
        5⤵
        
        PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecAgentBrowser /y
    3⤵
    PID:1820
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecAgentBrowser /y
      4⤵
      PID:1316
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
        5⤵
        
        PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecDeviceMediaService /y
    3⤵
    PID:1448
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecDeviceMediaService /y
      4⤵
      PID:3048
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
        5⤵
        
        PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecJobEngine /y
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecJobEngine /y
      4⤵
      PID:1236
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecJobEngine /y
        5⤵
        
        PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecManagementService /y
    3⤵
    PID:2180
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecManagementService /y
      4⤵
      PID:1572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecManagementService /y
        5⤵
        
        PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecRPCService /y
    3⤵
    PID:1748
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecRPCService /y
      4⤵
      PID:4040
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecRPCService /y
        5⤵
        
        PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop BackupExecVSSProvider /y
    3⤵
    PID:3836
  - - C:\Windows\SysWOW64\net.exe
      net stop BackupExecVSSProvider /y
      4⤵
      PID:1884
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecVSSProvider /y
        5⤵
        
        PID:964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop DCAgent /y
    3⤵
    PID:3224
  - - C:\Windows\SysWOW64\net.exe
      net stop DCAgent /y
      4⤵
      PID:4916
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DCAgent /y
        5⤵
        
        PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop EPSecurityService /y
    3⤵
    PID:2780
  - - C:\Windows\SysWOW64\net.exe
      net stop EPSecurityService /y
      4⤵
      PID:3972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EPSecurityService /y
        5⤵
        
        PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop EPUpdateService /y
    3⤵
    PID:3124
  - - C:\Windows\SysWOW64\net.exe
      net stop EPUpdateService /y
      4⤵
      PID:4488
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EPUpdateService /y
        5⤵
        
        PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ESHASRV /y
    3⤵
    PID:3008
  - - C:\Windows\SysWOW64\net.exe
      net stop ESHASRV /y
      4⤵
      PID:3720
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ESHASRV /y
        5⤵
        
        PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop EhttpSrv /y
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\net.exe
      net stop EhttpSrv /y
      4⤵
      PID:4624
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EhttpSrv /y
        5⤵
        
        PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop EraserSvc11710 /y
    3⤵
    PID:1712
  - - C:\Windows\SysWOW64\net.exe
      net stop EraserSvc11710 /y
      4⤵
      PID:996
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EraserSvc11710 /y
        5⤵
        
        PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop EsgShKernel /y
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\net.exe
      net stop EsgShKernel /y
      4⤵
      PID:1976
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EsgShKernel /y
        5⤵
        
        PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop FA_Scheduler /y
    3⤵
    PID:3952
  - - C:\Windows\SysWOW64\net.exe
      net stop FA_Scheduler /y
      4⤵
      PID:5024
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop FA_Scheduler /y
        5⤵
        
        PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop IISAdmin /y
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\net.exe
      net stop IISAdmin /y
      4⤵
      PID:1520
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop IISAdmin /y
        5⤵
        
        PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop IMAP4Svc /y
    3⤵
    PID:4808
  - - C:\Windows\SysWOW64\net.exe
      net stop IMAP4Svc /y
      4⤵
      PID:4996
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop IMAP4Svc /y
        5⤵
        
        PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop KAVFS /y
    3⤵
    PID:1432
  - - C:\Windows\SysWOW64\net.exe
      net stop KAVFS /y
      4⤵
      PID:3460
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KAVFS /y
        5⤵
        
        PID:560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop KAVFSGT /y
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\net.exe
      net stop KAVFSGT /y
      4⤵
      PID:2892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KAVFSGT /y
        5⤵
        
        PID:624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MBAMService /y
    3⤵
    PID:928
  - - C:\Windows\SysWOW64\net.exe
      net stop MBAMService /y
      4⤵
      PID:3652
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MBAMService /y
        5⤵
        
        PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MBEndpointAgent /y
    3⤵
    PID:1776
  - - C:\Windows\SysWOW64\net.exe
      net stop MBEndpointAgent /y
      4⤵
      PID:3116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MBEndpointAgent /y
        5⤵
        
        PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MMS /y
    3⤵
    PID:4852
  - - C:\Windows\SysWOW64\net.exe
      net stop MMS /y
      4⤵
      PID:3924
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MMS /y
        5⤵
        
        PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeES /y
    3⤵
    PID:1328
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeES /y
      4⤵
      PID:1448
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeES /y
        5⤵
        
        PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeIS /y
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeIS /y
      4⤵
      PID:2012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIS /y
        5⤵
        
        PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeMGMT /y
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMGMT /y
      4⤵
      PID:4268
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMGMT /y
        5⤵
        
        PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeMTA /y
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeMTA /y
      4⤵
      PID:1604
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMTA /y
        5⤵
        
        PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeSA /y
    3⤵
    PID:3212
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeSA /y
      4⤵
      PID:4080
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeSA /y
        5⤵
        
        PID:776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSExchangeSRS /y
    3⤵
    PID:4864
  - - C:\Windows\SysWOW64\net.exe
      net stop MSExchangeSRS /y
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeSRS /y
        5⤵
        
        PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSOLAP$SQL_2008 /y
    3⤵
    PID:3928
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$SQL_2008 /y
      4⤵
      PID:4948
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
        5⤵
        
        PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:3476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
        5⤵
        
        PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSOLAP$TPS /y
    3⤵
    PID:3056
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$TPS /y
      4⤵
      PID:1460
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$TPS /y
        5⤵
        
        PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSOLAP$TPSAMA /y
    3⤵
    PID:4468
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$TPSAMA /y
      4⤵
      PID:1092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
        5⤵
        
        PID:312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$BKUPEXEC /y
    3⤵
    PID:4440
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$BKUPEXEC /y
      4⤵
      PID:1712
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
        5⤵
        
        PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$ECWDB2 /y
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$ECWDB2 /y
      4⤵
      PID:4648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
        5⤵
        
        PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:212
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
        5⤵
        
        PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:3772
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:2644
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
        5⤵
        
        PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$PROD /y
    3⤵
    PID:1244
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PROD /y
      4⤵
      PID:1224
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PROD /y
        5⤵
        
        PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:5004
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:1484
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
        5⤵
        
        PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SBSMONITORING /y
    3⤵
    PID:560
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SBSMONITORING /y
      4⤵
      PID:3800
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
        5⤵
        
        PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SHAREPOINT /y
    3⤵
    PID:3540
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SHAREPOINT /y
      4⤵
      PID:4496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
        5⤵
        
        PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SOPHOS /y
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SOPHOS /y
      4⤵
      PID:5064
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
        5⤵
        
        PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:1776
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
        5⤵
        
        PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SQL_2008 /y
    3⤵
    PID:4696
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQL_2008 /y
      4⤵
      PID:2072
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
        5⤵
        
        PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:4124
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
        5⤵
        
        PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$TPS /y
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$TPS /y
      4⤵
      PID:4752
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPS /y
        5⤵
        
        PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$TPSAMA /y
    3⤵
    PID:3384
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$TPSAMA /y
      4⤵
      PID:2268
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
        5⤵
        
        PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2064
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:1748
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
        5⤵
        
        PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:5048
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:3212
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
        5⤵
        
        PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:4916
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:5100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
        5⤵
        
        PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher /y
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher /y
      4⤵
      PID:3176
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher /y
        5⤵
        
        PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:4332
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
        5⤵
        
        PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:1664
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:3008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
        5⤵
        
        PID:832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:3388
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:4908
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
        5⤵
        
        PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:3136
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:1056
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
        5⤵
        
        PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:4440
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:3632
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
        5⤵
        
        PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:240
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
        5⤵
        
        PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:4832
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:3480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
        5⤵
        
        PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLSERVER /y
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLSERVER /y
      4⤵
      PID:5028
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER /y
        5⤵
        
        PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLServerADHelper /y
    3⤵
    PID:4844
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLServerADHelper /y
      4⤵
      PID:3680
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper /y
        5⤵
        
        PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLServerADHelper100 /y
    3⤵
    PID:4720
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLServerADHelper100 /y
      4⤵
      PID:5036
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
        5⤵
        
        PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MSSQLServerOLAPService /y
    3⤵
    PID:4756
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLServerOLAPService /y
      4⤵
      PID:916
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
        5⤵
        
        PID:924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop McAfeeEngineService /y
    3⤵
    PID:1020
  - - C:\Windows\SysWOW64\net.exe
      net stop McAfeeEngineService /y
      4⤵
      PID:4236
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeEngineService /y
        5⤵
        
        PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop McAfeeFramework /y
    3⤵
    PID:3532
  - - C:\Windows\SysWOW64\net.exe
      net stop McAfeeFramework /y
      4⤵
      PID:1524
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeFramework /y
        5⤵
        
        PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:3888
  - - C:\Windows\SysWOW64\net.exe
      net stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:4224
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
        5⤵
        
        PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop McShield /y
    3⤵
    PID:3932
  - - C:\Windows\SysWOW64\net.exe
      net stop McShield /y
      4⤵
      PID:3688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McShield /y
        5⤵
        
        PID:768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop McTaskManager /y
    3⤵
    PID:4124
  - - C:\Windows\SysWOW64\net.exe
      net stop McTaskManager /y
      4⤵
      PID:4264
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McTaskManager /y
        5⤵
        
        PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MsDtsServer /y
    3⤵
    PID:2440
  - - C:\Windows\SysWOW64\net.exe
      net stop MsDtsServer /y
      4⤵
      PID:4880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsDtsServer /y
        5⤵
        
        PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MsDtsServer100 /y
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\net.exe
      net stop MsDtsServer100 /y
      4⤵
      PID:2276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsDtsServer100 /y
        5⤵
        
        PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MsDtsServer110 /y
    3⤵
    PID:2064
  - - C:\Windows\SysWOW64\net.exe
      net stop MsDtsServer110 /y
      4⤵
      PID:3212
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsDtsServer110 /y
        5⤵
        
        PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MySQL57 /y
    3⤵
    PID:3264
  - - C:\Windows\SysWOW64\net.exe
      net stop MySQL57 /y
      4⤵
      PID:1156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MySQL57 /y
        5⤵
        
        PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop MySQL80 /y
    3⤵
    PID:4136
  - - C:\Windows\SysWOW64\net.exe
      net stop MySQL80 /y
      4⤵
      PID:2660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MySQL80 /y
        5⤵
        
        PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop NetMsmqActivator /y
    3⤵
    PID:4192
  - - C:\Windows\SysWOW64\net.exe
      net stop NetMsmqActivator /y
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NetMsmqActivator /y
        5⤵
        
        PID:864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop OracleClientCache80 /y
    3⤵
    PID:3040
  - - C:\Windows\SysWOW64\net.exe
      net stop OracleClientCache80 /y
      4⤵
      PID:4132
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop OracleClientCache80 /y
        5⤵
        
        PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop PDVFSService /y
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\net.exe
      net stop PDVFSService /y
      4⤵
      PID:4900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop PDVFSService /y
        5⤵
        
        PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop POP3Svc /y
    3⤵
    PID:1712
  - - C:\Windows\SysWOW64\net.exe
      net stop POP3Svc /y
      4⤵
      PID:996
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop POP3Svc /y
        5⤵
        
        PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop RESvc /y
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\net.exe
      net stop RESvc /y
      4⤵
      PID:460
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RESvc /y
        5⤵
        
        PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ReportServer /y
    3⤵
    PID:4156
  - - C:\Windows\SysWOW64\net.exe
      net stop ReportServer /y
      4⤵
      PID:4656
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer /y
        5⤵
        
        PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ReportServer$SQL_2008 /y
    3⤵
    PID:1416
  - - C:\Windows\SysWOW64\net.exe
      net stop ReportServer$SQL_2008 /y
      4⤵
      PID:1648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
        5⤵
        
        PID:672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:5060
  - - C:\Windows\SysWOW64\net.exe
      net stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:1248
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
        5⤵
        
        PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ReportServer$TPS /y
    3⤵
    PID:400
  - - C:\Windows\SysWOW64\net.exe
      net stop ReportServer$TPS /y
      4⤵
      PID:760
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$TPS /y
        5⤵
        
        PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ReportServer$TPSAMA /y
    3⤵
    PID:4180
  - - C:\Windows\SysWOW64\net.exe
      net stop ReportServer$TPSAMA /y
      4⤵
      PID:4204
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
        5⤵
        
        PID:924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SAVAdminService /y
    3⤵
    PID:3344
  - - C:\Windows\SysWOW64\net.exe
      net stop SAVAdminService /y
      4⤵
      PID:2888
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SAVAdminService /y
        5⤵
        
        PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SAVService /y
    3⤵
    PID:4236
  - - C:\Windows\SysWOW64\net.exe
      net stop SAVService /y
      4⤵
      PID:1112
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SAVService /y
        5⤵
        
        PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SDRSVC /y
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\net.exe
      net stop SDRSVC /y
      4⤵
      PID:2080
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SDRSVC /y
        5⤵
        
        PID:828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SMTPSvc /y
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\net.exe
      net stop SMTPSvc /y
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SMTPSvc /y
        5⤵
        
        PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SNAC /y
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\net.exe
      net stop SNAC /y
      4⤵
      PID:4592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SNAC /y
        5⤵
        
        PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:4264
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
        5⤵
        
        PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:2388
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:4880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
        5⤵
        
        PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$CXDB /y
    3⤵
    PID:2196
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$CXDB /y
      4⤵
      PID:1972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$CXDB /y
        5⤵
        
        PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$ECWDB2 /y
    3⤵
    PID:5088
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$ECWDB2 /y
      4⤵
      PID:5092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
        5⤵
        
        PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:4748
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:912
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
        5⤵
        
        PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:3928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
        5⤵
        
        PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PROD /y
    3⤵
    PID:3968
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$PROD /y
      4⤵
      PID:3176
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PROD /y
        5⤵
        
        PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:1276
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:4332
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
        5⤵
        
        PID:3280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:4468
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:4232
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
        5⤵
        
        PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:3104
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
        5⤵
        
        PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SOPHOS /y
    3⤵
    PID:3464
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SOPHOS /y
      4⤵
      PID:4796
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
        5⤵
        
        PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:4064
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:1580
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
        5⤵
        
        PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SQL_2008 /y
    3⤵
    PID:404
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SQL_2008 /y
      4⤵
      PID:4156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
        5⤵
        
        PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:5032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
        5⤵
        
        PID:3680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$TPS /y
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$TPS /y
      4⤵
      PID:3772
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$TPS /y
        5⤵
        
        PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$TPSAMA /y
    3⤵
    PID:2312
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$TPSAMA /y
      4⤵
      PID:972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
        5⤵
        
        PID:924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:4276
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:3540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
        5⤵
        
        PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:4584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
        5⤵
        
        PID:928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:1020
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:2080
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
        5⤵
        
        PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLBrowser /y
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLBrowser /y
      4⤵
      PID:1776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser /y
        5⤵
        
        PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLSERVERAGENT /y
    3⤵
    PID:4200
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLSERVERAGENT /y
      4⤵
      PID:2072
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSERVERAGENT /y
        5⤵
        
        PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLSafeOLRService /y
    3⤵
    PID:3048
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLSafeOLRService /y
      4⤵
      PID:1000
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSafeOLRService /y
        5⤵
        
        PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLTELEMETRY /y
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLTELEMETRY /y
      4⤵
      PID:2180
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLTELEMETRY /y
        5⤵
        
        PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:2276
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:1132
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
        5⤵
        
        PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SQLWriter /y
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLWriter /y
      4⤵
      PID:1168
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter /y
        5⤵
        
        PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SamSs /y
    3⤵
    PID:3944
  - - C:\Windows\SysWOW64\net.exe
      net stop SamSs /y
      4⤵
      PID:5068
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SamSs /y
        5⤵
        
        PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SepMasterService /y
    3⤵
    PID:2780
  - - C:\Windows\SysWOW64\net.exe
      net stop SepMasterService /y
      4⤵
      PID:4588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SepMasterService /y
        5⤵
        
        PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ShMonitor /y
    3⤵
    PID:3396
  - - C:\Windows\SysWOW64\net.exe
      net stop ShMonitor /y
      4⤵
      PID:4092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ShMonitor /y
        5⤵
        
        PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SmcService /y
    3⤵
    PID:3476
  - - C:\Windows\SysWOW64\net.exe
      net stop SmcService /y
      4⤵
      PID:2028
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SmcService /y
        5⤵
        
        PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop Smcinst /y
    3⤵
    PID:3720
  - - C:\Windows\SysWOW64\net.exe
      net stop Smcinst /y
      4⤵
      PID:1664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Smcinst /y
        5⤵
        
        PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SntpService /y
    3⤵
    PID:316
  - - C:\Windows\SysWOW64\net.exe
      net stop SntpService /y
      4⤵
      PID:4900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SntpService /y
        5⤵
        
        PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop SstpSvc /y
    3⤵
    PID:1056
  - - C:\Windows\SysWOW64\net.exe
      net stop SstpSvc /y
      4⤵
      PID:996
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SstpSvc /y
        5⤵
        
        PID:724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop TmCCSF /y
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\net.exe
      net stop TmCCSF /y
      4⤵
      PID:212
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TmCCSF /y
        5⤵
        
        PID:460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop TrueKey /y
    3⤵
    PID:656
  - - C:\Windows\SysWOW64\net.exe
      net stop TrueKey /y
      4⤵
      PID:3892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TrueKey /y
        5⤵
        
        PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop TrueKeyScheduler /y
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\net.exe
      net stop TrueKeyScheduler /y
      4⤵
      PID:4968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TrueKeyScheduler /y
        5⤵
        
        PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop TrueKeyServiceHelper /y
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\net.exe
      net stop TrueKeyServiceHelper /y
      4⤵
      PID:3304
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
        5⤵
        
        PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop UI0Detect /y
    3⤵
    PID:5052
  - - C:\Windows\SysWOW64\net.exe
      net stop UI0Detect /y
      4⤵
      PID:1244
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UI0Detect /y
        5⤵
        
        PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamBackupSvc /y
    3⤵
    PID:4180
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamBackupSvc /y
      4⤵
      PID:4724
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamBackupSvc /y
        5⤵
        
        PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamBrokerSvc /y
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamBrokerSvc /y
      4⤵
      PID:4612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamBrokerSvc /y
        5⤵
        
        PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamCatalogSvc /y
    3⤵
    PID:3644
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamCatalogSvc /y
      4⤵
      PID:3924
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCatalogSvc /y
        5⤵
        
        PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamCloudSvc /y
    3⤵
    PID:4236
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamCloudSvc /y
      4⤵
      PID:3640
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCloudSvc /y
        5⤵
        
        PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamDeploySvc /y
    3⤵
    PID:5080
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamDeploySvc /y
      4⤵
      PID:3688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDeploySvc /y
        5⤵
        
        PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamDeploymentService /y
    3⤵
    PID:1824
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamDeploymentService /y
      4⤵
      PID:5020
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDeploymentService /y
        5⤵
        
        PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:3400
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:2388
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
        5⤵
        
        PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamHvIntegrationSvc /y
    3⤵
    PID:4040
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamHvIntegrationSvc /y
      4⤵
      PID:2024
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
        5⤵
        
        PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamMountSvc /y
    3⤵
    PID:4912
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamMountSvc /y
      4⤵
      PID:4268
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamMountSvc /y
        5⤵
        
        PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamNFSSvc /y
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamNFSSvc /y
      4⤵
      PID:4352
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamNFSSvc /y
        5⤵
        
        PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamRESTSvc /y
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamRESTSvc /y
      4⤵
      PID:4588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamRESTSvc /y
        5⤵
        
        PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop VeeamTransportSvc /y
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\net.exe
      net stop VeeamTransportSvc /y
      4⤵
      PID:3544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamTransportSvc /y
        5⤵
        
        PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop W3Svc /y
    3⤵
    PID:3176
  - - C:\Windows\SysWOW64\net.exe
      net stop W3Svc /y
      4⤵
      PID:3940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop W3Svc /y
        5⤵
        
        PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop WRSVC /y
    3⤵
    PID:3476
  - - C:\Windows\SysWOW64\net.exe
      net stop WRSVC /y
      4⤵
      PID:2844
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WRSVC /y
        5⤵
        
        PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop bedbg /y
    3⤵
    PID:3720
  - - C:\Windows\SysWOW64\net.exe
      net stop bedbg /y
      4⤵
      PID:3468
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop bedbg /y
        5⤵
        
        PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ekrn /y
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\net.exe
      net stop ekrn /y
      4⤵
      PID:4648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ekrn /y
        5⤵
        
        PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop kavfsslp /y
    3⤵
    PID:3136
  - - C:\Windows\SysWOW64\net.exe
      net stop kavfsslp /y
      4⤵
      PID:32
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop kavfsslp /y
        5⤵
        
        PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop klnagent /y
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\net.exe
      net stop klnagent /y
      4⤵
      PID:4560
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop klnagent /y
        5⤵
        
        PID:116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop macmnsvc /y
    3⤵
    PID:4156
  - - C:\Windows\SysWOW64\net.exe
      net stop macmnsvc /y
      4⤵
      PID:4280
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop macmnsvc /y
        5⤵
        
        PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop masvc /y
    3⤵
    PID:3680
  - - C:\Windows\SysWOW64\net.exe
      net stop masvc /y
      4⤵
      PID:5116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop masvc /y
        5⤵
        
        PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop mfefire /y
    3⤵
    PID:5036
  - - C:\Windows\SysWOW64\net.exe
      net stop mfefire /y
      4⤵
      PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop mfemms /y
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\net.exe
      net stop mfemms /y
      4⤵
      PID:852
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mfemms /y
        5⤵
        
        PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop mfevtp /y
    3⤵
    PID:4720
  - - C:\Windows\SysWOW64\net.exe
      net stop mfevtp /y
      4⤵
      PID:624
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mfevtp /y
        5⤵
        
        PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop mozyprobackup /y
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\net.exe
      net stop mozyprobackup /y
      4⤵
      PID:1532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mozyprobackup /y
        5⤵
        
        PID:3344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop msftesql$PROD /y
    3⤵
    PID:828
  - - C:\Windows\SysWOW64\net.exe
      net stop msftesql$PROD /y
      4⤵
      PID:1436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop msftesql$PROD /y
        5⤵
        
        PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop ntrtscan /y
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\net.exe
      net stop ntrtscan /y
      4⤵
      PID:2672
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ntrtscan /y
        5⤵
        
        PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop sacsvr /y
    3⤵
    PID:4696
  - - C:\Windows\SysWOW64\net.exe
      net stop sacsvr /y
      4⤵
      PID:768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sacsvr /y
        5⤵
        
        PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop sophossps /y
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\net.exe
      net stop sophossps /y
      4⤵
      PID:1000
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sophossps /y
        5⤵
        
        PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop svcGenericHost /y
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\net.exe
      net stop svcGenericHost /y
      4⤵
      PID:2960
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop svcGenericHost /y
        5⤵
        
        PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop swi_filter /y
    3⤵
    PID:964
  - - C:\Windows\SysWOW64\net.exe
      net stop swi_filter /y
      4⤵
      PID:3600
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_filter /y
        5⤵
        
        PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop swi_service /y
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\net.exe
      net stop swi_service /y
      4⤵
      PID:4268
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_service /y
        5⤵
        
        PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop swi_update /y
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\net.exe
      net stop swi_update /y
      4⤵
      PID:5068
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_update /y
        5⤵
        
        PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop swi_update_64 /y
    3⤵
    PID:3964
  - - C:\Windows\SysWOW64\net.exe
      net stop swi_update_64 /y
      4⤵
      PID:5100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_update_64 /y
        5⤵
        
        PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop tmlisten /y
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\net.exe
      net stop tmlisten /y
      4⤵
      PID:3972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tmlisten /y
        5⤵
        
        PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop wbengine /y
    3⤵
    PID:3056
  - - C:\Windows\SysWOW64\net.exe
      net stop wbengine /y
      4⤵
      PID:456
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wbengine /y
        5⤵
        
        PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C net stop wbengine /y
    3⤵
    PID:4136
  - - C:\Windows\SysWOW64\net.exe
      net stop wbengine /y
      4⤵
      PID:2844
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wbengine /y
        5⤵
        
        PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:1416
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
    3⤵
    PID:880
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
      4⤵
      PID:916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    3⤵
    PID:5052
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
      4⤵
      PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    3⤵
    PID:868
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
      4⤵
      PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C attrib "%userprofile%\documents\Default.rdp" -s -h
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\documents\Default.rdp" -s -h
      4⤵
      Views/modifies file attributes
      PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C del "%userprofile%\documents\Default.rdp"
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Application
    3⤵
    PID:1020
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log Application
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Security
    3⤵
    PID:3532
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log Security
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log System
    3⤵
    PID:5080
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe clear-log System
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C sc config eventlog start=disabled
    3⤵
    PID:1824
  - - C:\Windows\SysWOW64\sc.exe
      sc config eventlog start=disabled
      4⤵
      Launches sc.exe
      PID:3060
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:1920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:4104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
728B

MD5
f4c83a1d286b21beab4beff15e456bcc

SHA1
ba39d94f00adbe78bc1e625e2227ace3e1599533

SHA256
61dac4068dd0e2a479a977eec641629f4cf7da9764d284a9ae76b5ed3768cfa6

SHA512
fb2bfe0e8209ac317069906f90132c417d15be517aa628162a0ac5d915e57c25d653c44b5c31a101398770277468c31ec0300087ff31e3b834822e146b37f08e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
472B

MD5
0d239cc711741c15b936d5fe3ac425dc

SHA1
e0748be47d0023909843b2976a2ca474cb2e9233

SHA256
9bc1f05479105878355603c4d1f936ea3f7383494de6dd106b97f0d69aabd833

SHA512
873df6a6224656faecdfbf2503617e1737bf315bc702a451d20a9834a87cd995f4b0d24d5ad717b99138715557a465d077fb002bc4a9641146486d5119fc9024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
471B

MD5
08a6cafc63db4d500c1de531b2f73d9c

SHA1
5868e7435e4d710ef27a2007ac20cc8411b08454

SHA256
4872f59f963b9da3dc0e82995fcacfeb77366e0b631b90c4c0a14b738e3cf2f3

SHA512
bbe04b36fc8b928aecc8706459ffde4749e9b175d0d803490540ad5a717addc8b40bf0f05a08eff342c2e495e338b51d57226ea105d164dda3cea7a01b459248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
398B

MD5
22070d90a00885c72036dcd820c5728e

SHA1
e6bae3df26bfbe1ef35da335b365844bab92327f

SHA256
942bed723f0f8f43e02fa213d0f7a59a1a828d00e9bbd47befea3a44b8135a27

SHA512
d58042ebd28e5c9b0f3b0477787987ab6b39420bb006da6066a299a7b747acde64bd8b392441534bb847e5ecb2b208c30ff8a33db5a0431affa4e6e204782473

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
402B

MD5
d261385d2a21bd8679835ed475608575

SHA1
14ed1fb30f2c26a7b27c69f727baf2c57ba9321f

SHA256
b032dab2ccddafc695fb123798ba9426de825853615313aa56be6405a4d63e99

SHA512
fd4a6561c7035a465766b629e811d951d8e23af889ff61e51560cab24ac06356d714f273c31ea8d0c122f5c8b359cd34f8bf6f3aa5840d41a7fd8fff9dbce26a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
27e3f98c7bf814948715abc4cd2a5ecb

SHA1
ed1606b0ea65dba0bb345efa09f2810bb8ba69e3

SHA256
14ae88c2d760379171d85f39db2d451344a83da93ad9fd77bbec9c7dd57a2ef2

SHA512
2ba05e583a88eaa5b6f919d5b6a10bb5fd9f6e9152f889f6e75545af959af9644d2bdbd367403549bd3db62af969b1460db67a4b77ed51e910598c4ad18814ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2VJX7YH7\18DI20OM.htm

Filesize
18KB

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8SYI24T6\H1BK9RVI.htm

Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe

Filesize
477KB

MD5
a1b5dc4fd2cd2b54498faf42fe9b5e50

SHA1
46edeab30fe0696422edad230116c51d5b145aa3

SHA256
533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

SHA512
6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe

Filesize
477KB

MD5
a1b5dc4fd2cd2b54498faf42fe9b5e50

SHA1
46edeab30fe0696422edad230116c51d5b145aa3

SHA256
533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

SHA512
6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe

Filesize
477KB

MD5
a1b5dc4fd2cd2b54498faf42fe9b5e50

SHA1
46edeab30fe0696422edad230116c51d5b145aa3

SHA256
533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

SHA512
6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

Download Submit
memory/312-137-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/312-132-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/312-131-0x0000000002200000-0x0000000002376000-memory.dmp

Filesize
1.5MB

Download
memory/312-130-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/312-138-0x0000000002200000-0x0000000002376000-memory.dmp

Filesize
1.5MB

Download
memory/3896-169-0x00000000022A0000-0x0000000002416000-memory.dmp

Filesize
1.5MB

Download
memory/3896-219-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/3896-218-0x00000000022A0000-0x0000000002416000-memory.dmp

Filesize
1.5MB

Download
memory/3896-217-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/3896-195-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4240-149-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4240-151-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4240-139-0x0000000002320000-0x0000000002496000-memory.dmp

Filesize
1.5MB

Download
memory/4240-142-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4240-150-0x0000000002320000-0x0000000002496000-memory.dmp

Filesize
1.5MB

Download