prolock | dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178

General

Target

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Size

14KB
MD5

3355ace345e98406bdb331ccad568386
SHA1

81d5888bb8d43d88315c040be1f51db6bb5cf64c
SHA256

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178
SHA512

55223ee6f387252a401e62cd5b619afafcb3d63cb33cd1b9a12d782dadc9e68b95062363863f70f13eb28f751da710b78161f7efda464d66b1f98741e56f50e1

Score

10^/10

prolock ransomware

Malware Config

Extracted

Path

C:\[HOW TO RECOVER FILES].TXT

Family

prolock

Ransom Note

Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm. [.:Nothing personal just business:.] No one can help you to restore files without our special decryption tool. To get your files back you have to pay the decryption fee in BTC. The final price depends on how fast you write to us. 1. Download TOR browser: https://www.torproject.org/ 2. Install the TOR Browser. 3. Open the TOR Browser. 4. Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion 5. Login using your ID D8756FE07320C1859F44 ***If you have any problems connecting or using TOR network: contact our support by email support981723721@protonmail.com [You'll receive instructions and price inside] The decryption keys will be stored for 1 month. We also have gathered your sensitive data. We would share it in case you refuse to pay. Decryption using third party software is impossible. Attempts to self-decrypting files will result in the loss of your data.

Emails

support981723721@protonmail.com

URLs

http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion

Signatures

ProLock Ransomware
Rebranded update of PwndLocker first seen in March 2020.
ransomware prolock
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops desktop.ini file(s) 2 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

description	ioc	process
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

vssadmin.exevssadmin.exe

description ioc process

File opened (read-only) \??\D: vssadmin.exe
File opened (read-only) \??\D: vssadmin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

748 net.exe
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

4092 vssadmin.exe
2172 vssadmin.exe
2316 vssadmin.exe
4056 vssadmin.exe
396 vssadmin.exe
792 vssadmin.exe
Runs net.exe

description	ioc	process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe

pid	process
748	net.exe

pid	process
4092	vssadmin.exe
2172	vssadmin.exe
2316	vssadmin.exe
4056	vssadmin.exe
396	vssadmin.exe
792	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

pid	process
3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

pid process

3948 dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exevssvc.exe

description	pid	process
Token: SeSecurityPrivilege	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeTakeOwnershipPrivilege	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeBackupPrivilege	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeRestorePrivilege	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeManageVolumePrivilege	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeDebugPrivilege	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
Token: SeBackupPrivilege	3760	vssvc.exe
Token: SeRestorePrivilege	3760	vssvc.exe
Token: SeAuditPrivilege	3760	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3948 wrote to memory of 2156	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 2156	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 2156	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 2720	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 2720	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 2720	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2156 wrote to memory of 2744	2156	net.exe	net1.exe
PID 2156 wrote to memory of 2744	2156	net.exe	net1.exe
PID 2156 wrote to memory of 2744	2156	net.exe	net1.exe
PID 2720 wrote to memory of 3940	2720	net.exe	net1.exe
PID 2720 wrote to memory of 3940	2720	net.exe	net1.exe
PID 2720 wrote to memory of 3940	2720	net.exe	net1.exe
PID 3948 wrote to memory of 3932	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 3932	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 3932	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3932 wrote to memory of 3860	3932	net.exe	net1.exe
PID 3932 wrote to memory of 3860	3932	net.exe	net1.exe
PID 3932 wrote to memory of 3860	3932	net.exe	net1.exe
PID 3948 wrote to memory of 4024	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 4024	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 4024	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4024 wrote to memory of 3288	4024	net.exe	net1.exe
PID 4024 wrote to memory of 3288	4024	net.exe	net1.exe
PID 4024 wrote to memory of 3288	4024	net.exe	net1.exe
PID 3948 wrote to memory of 2712	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 2712	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 2712	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 4056	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 4056	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 4056	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 2712 wrote to memory of 3772	2712	net.exe	net1.exe
PID 2712 wrote to memory of 3772	2712	net.exe	net1.exe
PID 2712 wrote to memory of 3772	2712	net.exe	net1.exe
PID 3948 wrote to memory of 3952	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 3952	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 3952	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4056 wrote to memory of 3784	4056	net.exe	net1.exe
PID 4056 wrote to memory of 3784	4056	net.exe	net1.exe
PID 4056 wrote to memory of 3784	4056	net.exe	net1.exe
PID 3948 wrote to memory of 2340	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 2340	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 2340	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3952 wrote to memory of 932	3952	net.exe	net1.exe
PID 3952 wrote to memory of 932	3952	net.exe	net1.exe
PID 3952 wrote to memory of 932	3952	net.exe	net1.exe
PID 2340 wrote to memory of 2696	2340	net.exe	net1.exe
PID 2340 wrote to memory of 2696	2340	net.exe	net1.exe
PID 2340 wrote to memory of 2696	2340	net.exe	net1.exe
PID 3948 wrote to memory of 3940	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 3940	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 3940	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3940 wrote to memory of 3904	3940	net.exe	net1.exe
PID 3940 wrote to memory of 3904	3940	net.exe	net1.exe
PID 3940 wrote to memory of 3904	3940	net.exe	net1.exe
PID 3948 wrote to memory of 3760	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 3760	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 3760	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3760 wrote to memory of 2800	3760	net.exe	net1.exe
PID 3760 wrote to memory of 2800	3760	net.exe	net1.exe
PID 3760 wrote to memory of 2800	3760	net.exe	net1.exe
PID 3948 wrote to memory of 4024	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 4024	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 3948 wrote to memory of 4024	3948	dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe	net.exe
PID 4024 wrote to memory of 2540	4024	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe
"C:\Users\Admin\AppData\Local\Temp\dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "CSFalconService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "CSFalconService" /y
3⤵
PID:2744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "McAfeeFramework" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeFramework" /y
3⤵
PID:3940

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Alerter" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alerter" /y
3⤵
PID:3860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "AcronisAgent" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AcronisAgent" /y
3⤵
PID:3288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
3⤵
PID:3772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecAgentAccelerator" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
3⤵
PID:3784

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecDeviceMediaService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
3⤵
PID:932

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecJobEngine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
3⤵
PID:2696

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecManagementService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecManagementService" /y
3⤵
PID:3904

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecRPCService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecRPCService" /y
3⤵
PID:2800

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecVSSProvider" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
3⤵
PID:2540

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "DFSR" /y
2⤵
PID:3924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "DFSR" /y
3⤵
PID:3780

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPIntegrationService" /y
2⤵
PID:4056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPIntegrationService" /y
3⤵
PID:3344

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPProtectedService" /y
2⤵
PID:2428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPProtectedService" /y
3⤵
PID:2780

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPSecurityService" /y
2⤵
PID:2568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPSecurityService" /y
3⤵
PID:3904

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPUpdateService" /y
2⤵
PID:4060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPUpdateService" /y
3⤵
PID:2800

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MB3Service" /y
2⤵
PID:2700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MB3Service" /y
3⤵
PID:1248

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MBAMService" /y
2⤵
PID:4024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBAMService" /y
3⤵
PID:2368

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MBEndpointAgent" /y
2⤵
PID:3900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBEndpointAgent" /y
3⤵
PID:1556

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeES" /y
2⤵
PID:3908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeES" /y
3⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMGMT" /y
2⤵
PID:3936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
3⤵
PID:3308

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMTA" /y
2⤵
PID:3712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMTA" /y
3⤵
PID:2784

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeSA" /y
2⤵
PID:2716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSA" /y
3⤵
PID:2796

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeSRS" /y
2⤵
PID:1004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSRS" /y
3⤵
PID:1092

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeADTopology" /y
2⤵
PID:396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeADTopology" /y
3⤵
PID:1580

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeDelivery" /y
2⤵
PID:2084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeDelivery" /y
3⤵
PID:3952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeDiagnostics" /y
2⤵
PID:3908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeDiagnostics" /y
3⤵
PID:3936

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeEdgeSync" /y
2⤵
PID:3308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeEdgeSync" /y
3⤵
PID:3712

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeHM" /y
2⤵
PID:2784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeHM" /y
3⤵
PID:2716

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeHMRecovery" /y
2⤵
PID:3880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeHMRecovery" /y
3⤵
PID:3768

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeIS" /y
2⤵
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeIS" /y
3⤵
PID:396

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMailboxReplication" /y
2⤵
PID:1580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMailboxReplication" /y
3⤵
PID:208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeRPC" /y
2⤵
PID:2264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeRPC" /y
3⤵
PID:3116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeRepl" /y
2⤵
PID:2440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeRepl" /y
3⤵
PID:2664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeServiceHost" /y
2⤵
PID:3308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeServiceHost" /y
3⤵
PID:2716

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeTransport" /y
2⤵
PID:2540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeTransport" /y
3⤵
PID:1096

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeUM" /y
2⤵
PID:1092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeUM" /y
3⤵
PID:3860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeUMCR" /y
2⤵
PID:3288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeUMCR" /y
3⤵
PID:2008

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$*" /y
2⤵
PID:2340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$*" /y
3⤵
PID:3944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y
2⤵
PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
3⤵
PID:2568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MsDtsServer" /y
2⤵
PID:4060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer" /y
3⤵
PID:3936

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MySQL57" /y
2⤵
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MySQL57" /y
3⤵
PID:1500

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "OSearch15" /y
2⤵
PID:3776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OSearch15" /y
3⤵
PID:3860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "OracleClientCache80" /y
2⤵
PID:2444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OracleClientCache80" /y
3⤵
PID:2616

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "QuickBooksDB25" /y
2⤵
PID:1960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "QuickBooksDB25" /y
3⤵
PID:3944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPAdminV4" /y
2⤵
PID:3116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPAdminV4" /y
3⤵
PID:2704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPSearchHostController" /y
2⤵
PID:2664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPSearchHostController" /y
3⤵
PID:3932

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPTraceV4" /y
2⤵
PID:2788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPTraceV4" /y
3⤵
PID:1500

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPUserCodeV4" /y
2⤵
PID:396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPUserCodeV4" /y
3⤵
PID:2540

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPWriterV4" /y
2⤵
PID:3952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPWriterV4" /y
3⤵
PID:2680

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBrowser" /y
2⤵
PID:188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBrowser" /y
3⤵
PID:2212

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLSafeOLRService" /y
2⤵
PID:2700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
3⤵
PID:2068

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
2⤵
PID:3780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
3⤵
PID:4060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLSERVERAGENT" /y
2⤵
PID:1540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
3⤵
PID:1248

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLTELEMETRY" /y
2⤵
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
3⤵
PID:3880

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBackups" /y
2⤵
PID:3128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBackups" /y
3⤵
PID:4036

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$*" /y
2⤵
PID:2176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$*" /y
3⤵
PID:3664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$*" /y
2⤵
PID:192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$*" /y
3⤵
PID:3908

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSMQ" /y
2⤵
PID:1908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSMQ" /y
3⤵
PID:3892

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer" /y
2⤵
PID:2440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer" /y
3⤵
PID:3860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$*" /y
2⤵
PID:3564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$*" /y
3⤵
PID:2008

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLWriter" /y
2⤵
PID:2540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLWriter" /y
3⤵
PID:208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBackupAgent" /y
2⤵
PID:3288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBackupAgent" /y
3⤵
PID:2568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
2⤵
PID:3344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
3⤵
PID:2208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SyncoveryVSSService" /y
2⤵
PID:3712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SyncoveryVSSService" /y
3⤵
PID:2664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamBackupSvc" /y
2⤵
PID:3964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
3⤵
PID:3308

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamCatalogSvc" /y
2⤵
PID:204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
3⤵
PID:3760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamCloudSvc" /y
2⤵
PID:1740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
3⤵
PID:4052

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamEndpointBackupSvc" /y
2⤵
PID:3024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEndpointBackupSvc" /y
3⤵
PID:3952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamEnterpriseManagerSvc" /y
2⤵
PID:2772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
3⤵
PID:3540

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamMountSvc" /y
2⤵
PID:2212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamMountSvc" /y
3⤵
PID:2700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamNFSSvc" /y
2⤵
PID:2068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
3⤵
PID:2796

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamRESTSvc" /y
2⤵
PID:3348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
3⤵
PID:3776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamTransportSvc /y
2⤵
PID:2716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamTransportSvc /y
3⤵
PID:208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
2⤵
PID:2512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:2568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "epag" /y
2⤵
PID:3024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "epag" /y
3⤵
PID:2084

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "epredline" /y
2⤵
PID:2704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "epredline" /y
3⤵
PID:3940

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "mozyprobackup" /y
2⤵
PID:3908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mozyprobackup" /y
3⤵
PID:3780

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "masvc" /y
2⤵
PID:3936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "masvc" /y
3⤵
PID:3776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "macmnsvc" /y
2⤵
PID:1500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "macmnsvc" /y
3⤵
PID:208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "mfemms" /y
2⤵
PID:2352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mfemms" /y
3⤵
PID:4092

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "McAfeeDLPAgentService" /y
2⤵
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeDLPAgentService" /y
3⤵
PID:2084

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "psqlWGE" /y
2⤵
PID:2680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "psqlWGE" /y
3⤵
PID:3128

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "swprv" /y
2⤵
PID:3884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swprv" /y
3⤵
PID:1236

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "wsbexchange" /y
2⤵
PID:1452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wsbexchange" /y
3⤵
PID:2428

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "WinVNC4" /y
2⤵
PID:4060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WinVNC4" /y
3⤵
PID:3964

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "TMBMServer" /y
2⤵
PID:1740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TMBMServer" /y
3⤵
PID:3708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "tmccsf" /y
2⤵
PID:2540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmccsf" /y
3⤵
PID:3540

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "tmlisten" /y
2⤵
PID:4036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmlisten" /y
3⤵
PID:2772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VSNAPVSS" /y
2⤵
PID:668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSNAPVSS" /y
3⤵
PID:3124

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "stc_endpt_svc" /y
2⤵
PID:3940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "stc_endpt_svc" /y
3⤵
PID:1484

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "wbengine" /y
2⤵
PID:1452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:2720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "bbagent" /y
2⤵
PID:3892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "bbagent" /y
3⤵
PID:3708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "NasPmService" /y
2⤵
PID:4092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NasPmService" /y
3⤵
PID:2568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BASupportExpressStandaloneService_N_Central" /y
2⤵
PID:2352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BASupportExpressStandaloneService_N_Central" /y
3⤵
PID:360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BASupportExpressSrvcUpdater_N_Central" /y
2⤵
PID:4036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BASupportExpressSrvcUpdater_N_Central" /y
3⤵
PID:3288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "hasplms" /y
2⤵
PID:3780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "hasplms" /y
3⤵
PID:1580

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EqlVss" /y
2⤵
PID:2268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EqlVss" /y
3⤵
PID:3964

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EqlReqService" /y
2⤵
PID:3908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EqlReqService" /y
3⤵
PID:3952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "RapidRecoveryAgent" /y
2⤵
PID:2800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "RapidRecoveryAgent" /y
3⤵
PID:772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "YTBackup" /y
2⤵
PID:2716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "YTBackup" /y
3⤵
PID:2564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "vhdsvc" /y
2⤵
PID:4052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vhdsvc" /y
3⤵
PID:2796

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "TeamViewer" /y
2⤵
- Discovers systems in the same network
PID:748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TeamViewer" /y
3⤵
PID:2428

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$SQL_2008" /y
2⤵
PID:3344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
3⤵
PID:3564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$SYSTEM_BGC" /y
2⤵
PID:3924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
3⤵
PID:196

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$TPS" /y
2⤵
PID:3900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
3⤵
PID:2568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$TPSAMA" /y
2⤵
PID:3540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
3⤵
PID:360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$BKUPEXEC" /y
2⤵
PID:3904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
3⤵
PID:3288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$ECWDB2" /y
2⤵
PID:1236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
3⤵
PID:3884

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PRACTICEMGT" /y
2⤵
PID:3128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
3⤵
PID:3308

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PRACTTICEBGC" /y
2⤵
PID:3872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
3⤵
PID:1452

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PROD" /y
2⤵
PID:1260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROD" /y
3⤵
PID:4060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PROFXENGAGEMENT" /y
2⤵
PID:1328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
3⤵
PID:3708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SBSMONITORING" /y
2⤵
PID:2208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
3⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SHAREPOINT" /y
2⤵
PID:1960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
3⤵
PID:2428

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SOPHOS" /y
2⤵
PID:3756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
3⤵
PID:3664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SQL_2008" /y
2⤵
PID:3964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
3⤵
PID:208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SQLEXPRESS" /y
2⤵
PID:3712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
3⤵
PID:3872

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SYSTEM_BGC" /y
2⤵
PID:2712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
3⤵
PID:3944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$TPS" /y
2⤵
PID:772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPS" /y
3⤵
PID:360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$TPSAMA" /y
2⤵
PID:2564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
3⤵
PID:3348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2008R2" /y
2⤵
PID:2704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
3⤵
PID:1512

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2012" /y
2⤵
PID:2732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
3⤵
PID:3636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher" /y
2⤵
PID:2316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
3⤵
PID:1908

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
2⤵
PID:3776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
3⤵
PID:2268

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SBSMONITORING" /y
2⤵
PID:668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
3⤵
PID:4060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SHAREPOINT" /y
2⤵
PID:188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
3⤵
PID:3708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SQL_2008" /y
2⤵
PID:3900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
3⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SYSTEM_BGC" /y
2⤵
PID:2084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
3⤵
PID:2428

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPS" /y
2⤵
PID:2512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
3⤵
PID:2776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPSAMA" /y
2⤵
PID:4052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
3⤵
PID:208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y
2⤵
PID:2444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
3⤵
PID:3564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper" /y
2⤵
PID:3768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
3⤵
PID:3944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100" /y
2⤵
PID:1484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
3⤵
PID:360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerOLAPService" /y
2⤵
PID:4056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
3⤵
PID:3348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$BKUPEXEC" /y
2⤵
PID:2796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
3⤵
PID:1512

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$CITRIX_METAFRAME" /y
2⤵
PID:2700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
3⤵
PID:3308

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$CXDB" /y
2⤵
PID:4092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
3⤵
PID:2440

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$ECWDB2" /y
2⤵
PID:3756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
3⤵
PID:2664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEBGC" /y
2⤵
PID:2540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
3⤵
PID:2568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEMGT" /y
2⤵
PID:3712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
3⤵
PID:2340

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PROD" /y
2⤵
PID:3280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
3⤵
PID:3288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PROFXENGAGEMENT" /y
2⤵
PID:2600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
3⤵
PID:3884

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SBSMONITORING" /y
2⤵
PID:2660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
3⤵
PID:2776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SHAREPOINT" /y
2⤵
PID:3000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
3⤵
PID:1960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SOPHOS" /y
2⤵
PID:2704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
3⤵
PID:3792

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SQL_2008" /y
2⤵
PID:2268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
3⤵
PID:2772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SQLEXPRESS" /y
2⤵
PID:4060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
3⤵
PID:3784

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SYSTEM_BGC" /y
2⤵
PID:3776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
3⤵
PID:2800

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$TPS" /y
2⤵
PID:3952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
3⤵
PID:2264

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$TPSAMA" /y
2⤵
PID:2428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
3⤵
PID:2176

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2008R2" /y
2⤵
PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
3⤵
PID:1644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2012" /y
2⤵
PID:2212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
3⤵
PID:2432

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$SQL_2008" /y
2⤵
PID:3664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
3⤵
PID:3128

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$SYSTEM_BGC" /y
2⤵
PID:1092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
3⤵
PID:3708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$TPS" /y
2⤵
PID:3768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPS" /y
3⤵
PID:668

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$TPSAMA" /y
2⤵
PID:3860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
3⤵
PID:3884

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:4056

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=D: /on=D: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:396

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=D: /on=D: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:792

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:4092

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:2172

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:2316