Analysis Overview
SHA256
ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76
Threat Level: Known bad
The file ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe was found to be: Known bad.
Malicious Activity Summary
Babuk Locker
Deletes shadow copies
Modifies extensions of user files
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-04-20 13:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-04-20 13:37
Reported
2021-04-20 13:39
Platform
win7v20210410
Max time kernel
7s
Max time network
10s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Modifies extensions of user files
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
"C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c net stop mssqlserver /y
C:\Windows\system32\net.exe
net stop mssqlserver /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mssqlserver /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop vss /y
C:\Windows\system32\net.exe
net stop vss /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vss /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop sql /y
C:\Windows\system32\net.exe
net stop sql /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sql /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop svc$ /y
C:\Windows\system32\net.exe
net stop svc$ /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svc$ /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop memtas /y
C:\Windows\system32\net.exe
net stop memtas /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop memtas /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop mepocs /y
C:\Windows\system32\net.exe
net stop mepocs /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mepocs /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop sophos /y
C:\Windows\system32\net.exe
net stop sophos /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop veeam /y
C:\Windows\system32\net.exe
net stop veeam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop backup /y
C:\Windows\system32\net.exe
net stop backup /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop backup /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop GxVss /y
C:\Windows\system32\net.exe
net stop GxVss /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxVss /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop GxBlr /y
C:\Windows\system32\net.exe
net stop GxBlr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxBlr /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop GxFWD /y
C:\Windows\system32\net.exe
net stop GxFWD /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxFWD /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop GxCVD /y
C:\Windows\system32\net.exe
net stop GxCVD /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxCVD /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop GxCIMgr /y
C:\Windows\system32\net.exe
net stop GxCIMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxCIMgr /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop DefWatch /y
C:\Windows\system32\net.exe
net stop DefWatch /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop ccEvtMgr /y
C:\Windows\system32\net.exe
net stop ccEvtMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop ccSetMgr /y
C:\Windows\system32\net.exe
net stop ccSetMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop SavRoam /y
C:\Windows\system32\net.exe
net stop SavRoam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop RTVscan /y
C:\Windows\system32\net.exe
net stop RTVscan /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop QBFCService /y
C:\Windows\system32\net.exe
net stop QBFCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop QBIDPService /y
C:\Windows\system32\net.exe
net stop QBIDPService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop Intuit.QuickBooks.FCS /y
C:\Windows\system32\net.exe
net stop Intuit.QuickBooks.FCS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop QBCFMonitorService /y
C:\Windows\system32\net.exe
net stop QBCFMonitorService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop YooBackup /y
C:\Windows\system32\net.exe
net stop YooBackup /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop YooIT /y
C:\Windows\system32\net.exe
net stop YooIT /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop zhudongfangyu /y
C:\Windows\system32\net.exe
net stop zhudongfangyu /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop sophos /y
C:\Windows\system32\net.exe
net stop sophos /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop stc_raw_agent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\system32\net.exe
net stop stc_raw_agent /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop VSNAPVSS /y
C:\Windows\system32\net.exe
net stop VSNAPVSS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop VeeamTransportSvc /y
C:\Windows\system32\net.exe
net stop VeeamTransportSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop VeeamDeploymentService /y
C:\Windows\system32\net.exe
net stop VeeamDeploymentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop VeeamNFSSvc /y
C:\Windows\system32\net.exe
net stop VeeamNFSSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop veeam /y
C:\Windows\system32\net.exe
net stop veeam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop PDVFSService /y
C:\Windows\system32\net.exe
net stop PDVFSService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop BackupExecVSSProvider /y
C:\Windows\system32\net.exe
net stop BackupExecVSSProvider /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop BackupExecAgentAccelerator /y
C:\Windows\system32\net.exe
net stop BackupExecAgentAccelerator /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop BackupExecAgentBrowser /y
C:\Windows\system32\net.exe
net stop BackupExecAgentBrowser /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop BackupExecDiveciMediaService /y
C:\Windows\system32\net.exe
net stop BackupExecDiveciMediaService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop BackupExecJobEngine /y
C:\Windows\system32\net.exe
net stop BackupExecJobEngine /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop BackupExecManagementService /y
C:\Windows\system32\net.exe
net stop BackupExecManagementService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop BackupExecRPCService /y
C:\Windows\system32\net.exe
net stop BackupExecRPCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop AcrSch2Svc /y
C:\Windows\system32\net.exe
net stop AcrSch2Svc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop AcronisAgent /y
C:\Windows\system32\net.exe
net stop AcronisAgent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop CASAD2DWebSvc /y
C:\Windows\system32\net.exe
net stop CASAD2DWebSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop CAARCUpdateSvc /y
C:\Windows\system32\net.exe
net stop CAARCUpdateSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\system32\cmd.exe
cmd.exe /c net stop GoogleChromeElevationService /y
C:\Windows\system32\net.exe
net stop GoogleChromeElevationService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GoogleChromeElevationService /y
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
memory/768-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp
memory/1176-61-0x0000000000000000-mapping.dmp
memory/1984-62-0x0000000000000000-mapping.dmp
memory/1848-63-0x0000000000000000-mapping.dmp
memory/1792-64-0x0000000000000000-mapping.dmp
memory/1768-65-0x0000000000000000-mapping.dmp
memory/1808-66-0x0000000000000000-mapping.dmp
memory/1756-67-0x0000000000000000-mapping.dmp
memory/1384-68-0x0000000000000000-mapping.dmp
memory/1240-69-0x0000000000000000-mapping.dmp
memory/848-70-0x0000000000000000-mapping.dmp
memory/1552-71-0x0000000000000000-mapping.dmp
memory/1436-72-0x0000000000000000-mapping.dmp
memory/1284-73-0x0000000000000000-mapping.dmp
memory/1584-74-0x0000000000000000-mapping.dmp
memory/300-75-0x0000000000000000-mapping.dmp
memory/292-76-0x0000000000000000-mapping.dmp
memory/112-77-0x0000000000000000-mapping.dmp
memory/332-78-0x0000000000000000-mapping.dmp
memory/1500-79-0x0000000000000000-mapping.dmp
memory/340-80-0x0000000000000000-mapping.dmp
memory/1184-81-0x0000000000000000-mapping.dmp
memory/1532-82-0x0000000000000000-mapping.dmp
memory/1648-83-0x0000000000000000-mapping.dmp
memory/324-84-0x0000000000000000-mapping.dmp
memory/1516-85-0x0000000000000000-mapping.dmp
memory/1496-86-0x0000000000000000-mapping.dmp
memory/860-87-0x0000000000000000-mapping.dmp
memory/608-88-0x0000000000000000-mapping.dmp
memory/1112-89-0x0000000000000000-mapping.dmp
memory/1568-90-0x0000000000000000-mapping.dmp
memory/1944-91-0x0000000000000000-mapping.dmp
memory/1720-92-0x0000000000000000-mapping.dmp
memory/1668-93-0x0000000000000000-mapping.dmp
memory/1760-94-0x0000000000000000-mapping.dmp
memory/1912-95-0x0000000000000000-mapping.dmp
memory/1848-96-0x0000000000000000-mapping.dmp
memory/2000-97-0x0000000000000000-mapping.dmp
memory/1800-98-0x0000000000000000-mapping.dmp
memory/1808-99-0x0000000000000000-mapping.dmp
memory/1764-100-0x0000000000000000-mapping.dmp
memory/1156-101-0x0000000000000000-mapping.dmp
memory/1384-102-0x0000000000000000-mapping.dmp
memory/1552-103-0x0000000000000000-mapping.dmp
memory/1284-104-0x0000000000000000-mapping.dmp
memory/832-105-0x0000000000000000-mapping.dmp
memory/112-106-0x0000000000000000-mapping.dmp
memory/1072-107-0x0000000000000000-mapping.dmp
memory/612-108-0x0000000000000000-mapping.dmp
memory/928-109-0x0000000000000000-mapping.dmp
memory/1064-110-0x0000000000000000-mapping.dmp
memory/912-111-0x0000000000000000-mapping.dmp
memory/996-112-0x0000000000000000-mapping.dmp
memory/1424-113-0x0000000000000000-mapping.dmp
memory/1972-114-0x0000000000000000-mapping.dmp
memory/608-115-0x0000000000000000-mapping.dmp
memory/296-116-0x0000000000000000-mapping.dmp
memory/2020-117-0x0000000000000000-mapping.dmp
memory/1944-118-0x0000000000000000-mapping.dmp
memory/1984-119-0x0000000000000000-mapping.dmp
memory/1144-120-0x0000000000000000-mapping.dmp
memory/1656-121-0x0000000000000000-mapping.dmp
memory/1768-122-0x0000000000000000-mapping.dmp
memory/1820-123-0x0000000000000000-mapping.dmp
memory/1600-124-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-04-20 13:37
Reported
2021-04-20 13:39
Platform
win10v20210408
Max time kernel
87s
Max time network
111s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Modifies extensions of user files
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
"C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop mssqlserver /y
C:\Windows\system32\net.exe
net stop mssqlserver /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mssqlserver /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop vss /y
C:\Windows\system32\net.exe
net stop vss /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vss /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop sql /y
C:\Windows\system32\net.exe
net stop sql /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sql /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop svc$ /y
C:\Windows\system32\net.exe
net stop svc$ /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svc$ /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop memtas /y
C:\Windows\system32\net.exe
net stop memtas /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop memtas /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop mepocs /y
C:\Windows\system32\net.exe
net stop mepocs /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mepocs /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop sophos /y
C:\Windows\system32\net.exe
net stop sophos /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop veeam /y
C:\Windows\system32\net.exe
net stop veeam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop backup /y
C:\Windows\system32\net.exe
net stop backup /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop backup /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GxVss /y
C:\Windows\system32\net.exe
net stop GxVss /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxVss /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GxBlr /y
C:\Windows\system32\net.exe
net stop GxBlr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxBlr /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GxFWD /y
C:\Windows\system32\net.exe
net stop GxFWD /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxFWD /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GxCVD /y
C:\Windows\system32\net.exe
net stop GxCVD /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxCVD /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GxCIMgr /y
C:\Windows\system32\net.exe
net stop GxCIMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxCIMgr /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop DefWatch /y
C:\Windows\system32\net.exe
net stop DefWatch /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop ccEvtMgr /y
C:\Windows\system32\net.exe
net stop ccEvtMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop ccSetMgr /y
C:\Windows\system32\net.exe
net stop ccSetMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SavRoam /y
C:\Windows\system32\net.exe
net stop SavRoam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop RTVscan /y
C:\Windows\system32\net.exe
net stop RTVscan /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop QBFCService /y
C:\Windows\system32\net.exe
net stop QBFCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop QBIDPService /y
C:\Windows\system32\net.exe
net stop QBIDPService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop Intuit.QuickBooks.FCS /y
C:\Windows\system32\net.exe
net stop Intuit.QuickBooks.FCS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop QBCFMonitorService /y
C:\Windows\system32\net.exe
net stop QBCFMonitorService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop YooBackup /y
C:\Windows\system32\net.exe
net stop YooBackup /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop YooIT /y
C:\Windows\system32\net.exe
net stop YooIT /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop zhudongfangyu /y
C:\Windows\system32\net.exe
net stop zhudongfangyu /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop sophos /y
C:\Windows\system32\net.exe
net stop sophos /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop stc_raw_agent /y
C:\Windows\system32\net.exe
net stop stc_raw_agent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VSNAPVSS /y
C:\Windows\system32\net.exe
net stop VSNAPVSS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamTransportSvc /y
C:\Windows\system32\net.exe
net stop VeeamTransportSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamDeploymentService /y
C:\Windows\system32\net.exe
net stop VeeamDeploymentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamNFSSvc /y
C:\Windows\system32\net.exe
net stop VeeamNFSSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop veeam /y
C:\Windows\system32\net.exe
net stop veeam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop PDVFSService /y
C:\Windows\system32\net.exe
net stop PDVFSService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecVSSProvider /y
C:\Windows\system32\net.exe
net stop BackupExecVSSProvider /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecAgentAccelerator /y
C:\Windows\system32\net.exe
net stop BackupExecAgentAccelerator /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecAgentBrowser /y
C:\Windows\system32\net.exe
net stop BackupExecAgentBrowser /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecDiveciMediaService /y
C:\Windows\system32\net.exe
net stop BackupExecDiveciMediaService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecJobEngine /y
C:\Windows\system32\net.exe
net stop BackupExecJobEngine /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecManagementService /y
C:\Windows\system32\net.exe
net stop BackupExecManagementService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecRPCService /y
C:\Windows\system32\net.exe
net stop BackupExecRPCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop AcrSch2Svc /y
C:\Windows\system32\net.exe
net stop AcrSch2Svc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop AcronisAgent /y
C:\Windows\system32\net.exe
net stop AcronisAgent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop CASAD2DWebSvc /y
C:\Windows\system32\net.exe
net stop CASAD2DWebSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop CAARCUpdateSvc /y
C:\Windows\system32\net.exe
net stop CAARCUpdateSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GoogleChromeElevationService /y
C:\Windows\system32\net.exe
net stop GoogleChromeElevationService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GoogleChromeElevationService /y
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
memory/1964-114-0x0000000000000000-mapping.dmp
memory/2072-115-0x0000000000000000-mapping.dmp
memory/3248-116-0x0000000000000000-mapping.dmp
memory/2840-117-0x0000000000000000-mapping.dmp
memory/512-118-0x0000000000000000-mapping.dmp
memory/1880-119-0x0000000000000000-mapping.dmp
memory/200-120-0x0000000000000000-mapping.dmp
memory/940-121-0x0000000000000000-mapping.dmp
memory/2304-122-0x0000000000000000-mapping.dmp
memory/3992-123-0x0000000000000000-mapping.dmp
memory/3396-124-0x0000000000000000-mapping.dmp
memory/3648-125-0x0000000000000000-mapping.dmp
memory/1316-126-0x0000000000000000-mapping.dmp
memory/2124-127-0x0000000000000000-mapping.dmp
memory/2144-128-0x0000000000000000-mapping.dmp
memory/2236-129-0x0000000000000000-mapping.dmp
memory/912-130-0x0000000000000000-mapping.dmp
memory/3920-131-0x0000000000000000-mapping.dmp
memory/3368-132-0x0000000000000000-mapping.dmp
memory/1788-133-0x0000000000000000-mapping.dmp
memory/1972-134-0x0000000000000000-mapping.dmp
memory/3956-135-0x0000000000000000-mapping.dmp
memory/2072-136-0x0000000000000000-mapping.dmp
memory/3292-137-0x0000000000000000-mapping.dmp
memory/580-138-0x0000000000000000-mapping.dmp
memory/416-139-0x0000000000000000-mapping.dmp
memory/2844-140-0x0000000000000000-mapping.dmp
memory/188-141-0x0000000000000000-mapping.dmp
memory/2404-142-0x0000000000000000-mapping.dmp
memory/184-143-0x0000000000000000-mapping.dmp
memory/740-144-0x0000000000000000-mapping.dmp
memory/2804-145-0x0000000000000000-mapping.dmp
memory/496-146-0x0000000000000000-mapping.dmp
memory/764-147-0x0000000000000000-mapping.dmp
memory/2192-148-0x0000000000000000-mapping.dmp
memory/2240-149-0x0000000000000000-mapping.dmp
memory/2244-150-0x0000000000000000-mapping.dmp
memory/3916-151-0x0000000000000000-mapping.dmp
memory/2512-152-0x0000000000000000-mapping.dmp
memory/3420-153-0x0000000000000000-mapping.dmp
memory/2000-154-0x0000000000000000-mapping.dmp
memory/2324-155-0x0000000000000000-mapping.dmp
memory/3796-156-0x0000000000000000-mapping.dmp
memory/1848-157-0x0000000000000000-mapping.dmp
memory/3216-158-0x0000000000000000-mapping.dmp
memory/512-159-0x0000000000000000-mapping.dmp
memory/2624-160-0x0000000000000000-mapping.dmp
memory/192-161-0x0000000000000000-mapping.dmp
memory/1664-162-0x0000000000000000-mapping.dmp
memory/3060-163-0x0000000000000000-mapping.dmp
memory/2404-164-0x0000000000000000-mapping.dmp
memory/3752-165-0x0000000000000000-mapping.dmp
memory/1324-166-0x0000000000000000-mapping.dmp
memory/2816-167-0x0000000000000000-mapping.dmp
memory/2296-168-0x0000000000000000-mapping.dmp
memory/2120-169-0x0000000000000000-mapping.dmp
memory/2164-170-0x0000000000000000-mapping.dmp
memory/2172-171-0x0000000000000000-mapping.dmp
memory/3920-172-0x0000000000000000-mapping.dmp
memory/60-173-0x0000000000000000-mapping.dmp
memory/2324-174-0x0000000000000000-mapping.dmp
memory/3640-175-0x0000000000000000-mapping.dmp
memory/2072-176-0x0000000000000000-mapping.dmp
memory/3216-177-0x0000000000000000-mapping.dmp