Malware Analysis Report

2024-10-24 18:32

Sample ID 210928-ka8sysbcar
Target 456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample
SHA256 456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e
Tags
conti ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e

Threat Level: Known bad

The file 456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample was found to be: Known bad.

Malicious Activity Summary

conti ransomware

Conti Ransomware

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Drops desktop.ini file(s)

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-28 08:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-28 08:24

Reported

2021-09-28 08:27

Platform

win7-en-20210920

Max time kernel

75s

Max time network

23s

Command Line

"C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe"

Signatures

Conti Ransomware

ransomware conti

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\AddGroup.tiff C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\RestoreRevoke.tiff => C:\Users\Admin\Pictures\RestoreRevoke.tiff.CONTI C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\RequestSubmit.png => C:\Users\Admin\Pictures\RequestSubmit.png.CONTI C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\AddGroup.tiff => C:\Users\Admin\Pictures\AddGroup.tiff.CONTI C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\BlockSync.tiff => C:\Users\Admin\Pictures\BlockSync.tiff.CONTI C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockSync.tiff C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\CompletePush.raw => C:\Users\Admin\Pictures\CompletePush.raw.CONTI C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestoreRevoke.tiff C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\ConnectBlock.crw => C:\Users\Admin\Pictures\ConnectBlock.crw.CONTI C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1104 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1104 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1104 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1232 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 956 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 956 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 956 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1232 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1264 wrote to memory of 268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1264 wrote to memory of 268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1264 wrote to memory of 268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1232 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 272 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 272 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 272 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1232 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1904 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1904 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1904 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1232 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1120 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1120 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1120 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1232 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1156 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1156 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1156 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1232 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1660 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1660 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1660 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcronisAgent /y

C:\Windows\SysWOW64\net.exe

net stop AcronisAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net.exe

net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Antivirus /y

C:\Windows\SysWOW64\net.exe

net stop Antivirus /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Antivirus /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ARSM /y

C:\Windows\SysWOW64\net.exe

net stop ARSM /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ARSM /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop bedbg /y

C:\Windows\SysWOW64\net.exe

net stop bedbg /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop bedbg /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop DCAgent /y

C:\Windows\SysWOW64\net.exe

net stop DCAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop DCAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPSecurityService /y

C:\Windows\SysWOW64\net.exe

net stop EPSecurityService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPSecurityService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPUpdateService /y

C:\Windows\SysWOW64\net.exe

net stop EPUpdateService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPUpdateService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net.exe

net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EraserSvc11710 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EsgShKernel /y

C:\Windows\SysWOW64\net.exe

net stop EsgShKernel /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EsgShKernel /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop FA_Scheduler /y

C:\Windows\SysWOW64\net.exe

net stop FA_Scheduler /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop FA_Scheduler /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IISAdmin /y

C:\Windows\SysWOW64\net.exe

net stop IISAdmin /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IISAdmin /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IMAP4Svc /y

C:\Windows\SysWOW64\net.exe

net stop IMAP4Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IMAP4Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McShield /y

C:\Windows\SysWOW64\net.exe

net stop McShield /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McShield /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McTaskManager /y

C:\Windows\SysWOW64\net.exe

net stop McTaskManager /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McTaskManager /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfemms /y

C:\Windows\SysWOW64\net.exe

net stop mfemms /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfemms /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfevtp /y

C:\Windows\SysWOW64\net.exe

net stop mfevtp /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfevtp /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MMS /y

C:\Windows\SysWOW64\net.exe

net stop MMS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MMS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mozyprobackup /y

C:\Windows\SysWOW64\net.exe

net stop mozyprobackup /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mozyprobackup /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer110 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeES /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeES /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeES /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeIS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeIS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeIS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMGMT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMTA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSRS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MySQL57 /y

C:\Windows\SysWOW64\net.exe

net stop MySQL57 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MySQL57 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ntrtscan /y

C:\Windows\SysWOW64\net.exe

net stop ntrtscan /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ntrtscan /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net.exe

net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop OracleClientCache80 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop PDVFSService /y

C:\Windows\SysWOW64\net.exe

net stop PDVFSService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop POP3Svc /y

C:\Windows\SysWOW64\net.exe

net stop POP3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop POP3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop RESvc /y

C:\Windows\SysWOW64\net.exe

net stop RESvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop RESvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop sacsvr /y

C:\Windows\SysWOW64\net.exe

net stop sacsvr /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sacsvr /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SamSs /y

C:\Windows\SysWOW64\net.exe

net stop SamSs /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SamSs /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVAdminService /y

C:\Windows\SysWOW64\net.exe

net stop SAVAdminService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVAdminService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVService /y

C:\Windows\SysWOW64\net.exe

net stop SAVService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SDRSVC /y

C:\Windows\SysWOW64\net.exe

net stop SDRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SDRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SepMasterService /y

C:\Windows\SysWOW64\net.exe

net stop SepMasterService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SepMasterService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ShMonitor /y

C:\Windows\SysWOW64\net.exe

net stop ShMonitor /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ShMonitor /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Smcinst /y

C:\Windows\SysWOW64\net.exe

net stop Smcinst /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Smcinst /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SmcService /y

C:\Windows\SysWOW64\net.exe

net stop SmcService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SmcService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SMTPSvc /y

C:\Windows\SysWOW64\net.exe

net stop SMTPSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SMTPSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\SysWOW64\net.exe

net stop SQLBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net.exe

net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSafeOLRService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\SysWOW64\net.exe

net stop SQLWriter /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBackupSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCloudSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploySvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamMountSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamRESTSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop W3Svc /y

C:\Windows\SysWOW64\net.exe

net stop W3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop W3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop WRSVC /y

C:\Windows\SysWOW64\net.exe

net stop WRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop swi_update /y

C:\Windows\SysWOW64\net.exe

net stop swi_update /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop swi_update /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop msftesql$PROD /y

C:\Windows\SysWOW64\net.exe

net stop msftesql$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop msftesql$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net.exe

net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop NetMsmqActivator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EhttpSrv /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EhttpSrv /y

C:\Windows\SysWOW64\net.exe

net stop EhttpSrv /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ekrn /y

C:\Windows\SysWOW64\net.exe

net stop ekrn /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ekrn /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ESHASRV /y

C:\Windows\SysWOW64\net.exe

net stop ESHASRV /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ESHASRV /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AVP /y

C:\Windows\SysWOW64\net.exe

net stop AVP /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AVP /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop klnagent /y

C:\Windows\SysWOW64\net.exe

net stop klnagent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop klnagent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfefire /y

C:\Windows\SysWOW64\net.exe

net stop mfefire /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfefire /y

Network

N/A

Files

memory/1232-53-0x0000000074F81000-0x0000000074F83000-memory.dmp

memory/1104-54-0x0000000000000000-mapping.dmp

memory/2024-55-0x0000000000000000-mapping.dmp

memory/956-56-0x0000000000000000-mapping.dmp

memory/1392-57-0x0000000000000000-mapping.dmp

memory/1264-58-0x0000000000000000-mapping.dmp

memory/268-59-0x0000000000000000-mapping.dmp

memory/272-60-0x0000000000000000-mapping.dmp

memory/552-61-0x0000000000000000-mapping.dmp

memory/1904-62-0x0000000000000000-mapping.dmp

memory/1752-63-0x0000000000000000-mapping.dmp

memory/1120-64-0x0000000000000000-mapping.dmp

memory/1200-65-0x0000000000000000-mapping.dmp

memory/1156-66-0x0000000000000000-mapping.dmp

memory/1560-67-0x0000000000000000-mapping.dmp

memory/1660-68-0x0000000000000000-mapping.dmp

memory/1796-69-0x0000000000000000-mapping.dmp

memory/1828-70-0x0000000000000000-mapping.dmp

memory/1772-71-0x0000000000000000-mapping.dmp

memory/1712-72-0x0000000000000000-mapping.dmp

memory/1632-73-0x0000000000000000-mapping.dmp

memory/1656-74-0x0000000000000000-mapping.dmp

memory/1228-75-0x0000000000000000-mapping.dmp

memory/1756-76-0x0000000000000000-mapping.dmp

memory/1392-77-0x0000000000000000-mapping.dmp

memory/576-78-0x0000000000000000-mapping.dmp

memory/268-79-0x0000000000000000-mapping.dmp

memory/112-80-0x0000000000000000-mapping.dmp

memory/552-81-0x0000000000000000-mapping.dmp

memory/1020-82-0x0000000000000000-mapping.dmp

memory/1752-83-0x0000000000000000-mapping.dmp

memory/1352-84-0x0000000000000000-mapping.dmp

memory/1788-85-0x0000000000000000-mapping.dmp

memory/748-86-0x0000000000000000-mapping.dmp

memory/628-87-0x0000000000000000-mapping.dmp

memory/976-88-0x0000000000000000-mapping.dmp

memory/1312-89-0x0000000000000000-mapping.dmp

memory/1880-90-0x0000000000000000-mapping.dmp

memory/1156-91-0x0000000000000000-mapping.dmp

memory/964-92-0x0000000000000000-mapping.dmp

memory/1300-93-0x0000000000000000-mapping.dmp

memory/1796-94-0x0000000000000000-mapping.dmp

memory/1956-95-0x0000000000000000-mapping.dmp

memory/1176-96-0x0000000000000000-mapping.dmp

memory/1748-97-0x0000000000000000-mapping.dmp

memory/1920-98-0x0000000000000000-mapping.dmp

memory/1624-99-0x0000000000000000-mapping.dmp

memory/2028-100-0x0000000000000000-mapping.dmp

memory/1712-101-0x0000000000000000-mapping.dmp

memory/1400-102-0x0000000000000000-mapping.dmp

memory/620-103-0x0000000000000000-mapping.dmp

memory/1228-104-0x0000000000000000-mapping.dmp

memory/2044-105-0x0000000000000000-mapping.dmp

memory/1872-106-0x0000000000000000-mapping.dmp

memory/1268-107-0x0000000000000000-mapping.dmp

memory/968-108-0x0000000000000000-mapping.dmp

memory/1420-109-0x0000000000000000-mapping.dmp

memory/1508-110-0x0000000000000000-mapping.dmp

memory/1208-111-0x0000000000000000-mapping.dmp

memory/576-112-0x0000000000000000-mapping.dmp

memory/1348-113-0x0000000000000000-mapping.dmp

memory/1124-114-0x0000000000000000-mapping.dmp

memory/552-115-0x0000000000000000-mapping.dmp

memory/1580-116-0x0000000000000000-mapping.dmp

memory/796-117-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-28 08:24

Reported

2021-09-28 08:27

Platform

win10v20210408

Max time kernel

75s

Max time network

78s

Command Line

"C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe"

Signatures

Conti Ransomware

ransomware conti

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\StopImport.png => C:\Users\Admin\Pictures\StopImport.png.CONTI C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\UpdateRestore.tiff C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\UseUnregister.crw => C:\Users\Admin\Pictures\UseUnregister.crw.CONTI C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateRestore.tiff => C:\Users\Admin\Pictures\UpdateRestore.tiff.CONTI C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectResume.crw => C:\Users\Admin\Pictures\UnprotectResume.crw.CONTI C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 364 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 680 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 680 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 364 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1632 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1632 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 364 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1688 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1688 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 364 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2472 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2472 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 364 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3096 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3096 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 364 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 4044 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 4044 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 4044 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 364 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3168 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3168 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 364 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3992 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3992 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 364 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 3200 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3200 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3200 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 364 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2652 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2652 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 364 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 508 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\456dc28731284188734ef4724d38dca91dcba6c780e6268603365967522cdd6e.bin.sample.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcronisAgent /y

C:\Windows\SysWOW64\net.exe

net stop AcronisAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net.exe

net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Antivirus /y

C:\Windows\SysWOW64\net.exe

net stop Antivirus /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Antivirus /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ARSM /y

C:\Windows\SysWOW64\net.exe

net stop ARSM /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ARSM /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop bedbg /y

C:\Windows\SysWOW64\net.exe

net stop bedbg /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop bedbg /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop DCAgent /y

C:\Windows\SysWOW64\net.exe

net stop DCAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop DCAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPSecurityService /y

C:\Windows\SysWOW64\net.exe

net stop EPSecurityService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPSecurityService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPUpdateService /y

C:\Windows\SysWOW64\net.exe

net stop EPUpdateService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPUpdateService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net.exe

net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EraserSvc11710 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EsgShKernel /y

C:\Windows\SysWOW64\net.exe

net stop EsgShKernel /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EsgShKernel /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop FA_Scheduler /y

C:\Windows\SysWOW64\net.exe

net stop FA_Scheduler /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop FA_Scheduler /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IISAdmin /y

C:\Windows\SysWOW64\net.exe

net stop IISAdmin /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IISAdmin /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IMAP4Svc /y

C:\Windows\SysWOW64\net.exe

net stop IMAP4Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IMAP4Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McShield /y

C:\Windows\SysWOW64\net.exe

net stop McShield /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McShield /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McTaskManager /y

C:\Windows\SysWOW64\net.exe

net stop McTaskManager /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McTaskManager /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfemms /y

C:\Windows\SysWOW64\net.exe

net stop mfemms /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfemms /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfevtp /y

C:\Windows\SysWOW64\net.exe

net stop mfevtp /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfevtp /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MMS /y

C:\Windows\SysWOW64\net.exe

net stop MMS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MMS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mozyprobackup /y

C:\Windows\SysWOW64\net.exe

net stop mozyprobackup /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mozyprobackup /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer110 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeES /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeES /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeES /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeIS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeIS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeIS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMGMT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMTA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSRS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MySQL57 /y

C:\Windows\SysWOW64\net.exe

net stop MySQL57 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MySQL57 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ntrtscan /y

C:\Windows\SysWOW64\net.exe

net stop ntrtscan /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ntrtscan /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net.exe

net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop OracleClientCache80 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop PDVFSService /y

C:\Windows\SysWOW64\net.exe

net stop PDVFSService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop POP3Svc /y

C:\Windows\SysWOW64\net.exe

net stop POP3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop POP3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop RESvc /y

C:\Windows\SysWOW64\net.exe

net stop RESvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop RESvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop sacsvr /y

C:\Windows\SysWOW64\net.exe

net stop sacsvr /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sacsvr /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SamSs /y

C:\Windows\SysWOW64\net.exe

net stop SamSs /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SamSs /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVAdminService /y

C:\Windows\SysWOW64\net.exe

net stop SAVAdminService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVAdminService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVService /y

C:\Windows\SysWOW64\net.exe

net stop SAVService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SDRSVC /y

C:\Windows\SysWOW64\net.exe

net stop SDRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SDRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SepMasterService /y

C:\Windows\SysWOW64\net.exe

net stop SepMasterService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SepMasterService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ShMonitor /y

C:\Windows\SysWOW64\net.exe

net stop ShMonitor /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ShMonitor /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Smcinst /y

C:\Windows\SysWOW64\net.exe

net stop Smcinst /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Smcinst /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SmcService /y

C:\Windows\SysWOW64\net.exe

net stop SmcService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SmcService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SMTPSvc /y

C:\Windows\SysWOW64\net.exe

net stop SMTPSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SMTPSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\SysWOW64\net.exe

net stop SQLBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net.exe

net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSafeOLRService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\SysWOW64\net.exe

net stop SQLWriter /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBackupSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCloudSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploySvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamMountSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamRESTSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop W3Svc /y

C:\Windows\SysWOW64\net.exe

net stop W3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop W3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop WRSVC /y

C:\Windows\SysWOW64\net.exe

net stop WRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop swi_update /y

C:\Windows\SysWOW64\net.exe

net stop swi_update /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop swi_update /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop msftesql$PROD /y

C:\Windows\SysWOW64\net.exe

net stop msftesql$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop msftesql$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net.exe

net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop NetMsmqActivator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EhttpSrv /y

C:\Windows\SysWOW64\net.exe

net stop EhttpSrv /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EhttpSrv /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ekrn /y

C:\Windows\SysWOW64\net.exe

net stop ekrn /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ekrn /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ESHASRV /y

C:\Windows\SysWOW64\net.exe

net stop ESHASRV /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ESHASRV /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AVP /y

C:\Windows\SysWOW64\net.exe

net stop AVP /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AVP /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop klnagent /y

C:\Windows\SysWOW64\net.exe

net stop klnagent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop klnagent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfefire /y

C:\Windows\SysWOW64\net.exe

net stop mfefire /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfefire /y

Network

Country Destination Domain Proto
N/A 10.10.0.14:445 tcp
N/A 10.10.0.1:445 tcp
N/A 10.10.0.18:445 tcp
N/A 10.10.0.15:445 tcp
N/A 10.10.0.14:139 tcp
N/A 10.10.0.1:139 tcp
N/A 10.10.0.15:139 tcp
N/A 10.10.0.18:139 tcp

Files

memory/680-114-0x0000000000000000-mapping.dmp

memory/1168-115-0x0000000000000000-mapping.dmp

memory/1632-116-0x0000000000000000-mapping.dmp

memory/1820-117-0x0000000000000000-mapping.dmp

memory/1688-118-0x0000000000000000-mapping.dmp

memory/2364-119-0x0000000000000000-mapping.dmp

memory/2472-120-0x0000000000000000-mapping.dmp

memory/2792-121-0x0000000000000000-mapping.dmp

memory/3096-122-0x0000000000000000-mapping.dmp

memory/3972-123-0x0000000000000000-mapping.dmp

memory/4044-124-0x0000000000000000-mapping.dmp

memory/4060-125-0x0000000000000000-mapping.dmp

memory/3168-126-0x0000000000000000-mapping.dmp

memory/3152-127-0x0000000000000000-mapping.dmp

memory/3992-128-0x0000000000000000-mapping.dmp

memory/2576-129-0x0000000000000000-mapping.dmp

memory/3200-130-0x0000000000000000-mapping.dmp

memory/3172-131-0x0000000000000000-mapping.dmp

memory/2652-132-0x0000000000000000-mapping.dmp

memory/808-133-0x0000000000000000-mapping.dmp

memory/508-134-0x0000000000000000-mapping.dmp

memory/856-135-0x0000000000000000-mapping.dmp

memory/1228-136-0x0000000000000000-mapping.dmp

memory/1136-137-0x0000000000000000-mapping.dmp

memory/1920-138-0x0000000000000000-mapping.dmp

memory/1796-139-0x0000000000000000-mapping.dmp

memory/2416-140-0x0000000000000000-mapping.dmp

memory/2184-141-0x0000000000000000-mapping.dmp

memory/2804-142-0x0000000000000000-mapping.dmp

memory/2708-143-0x0000000000000000-mapping.dmp

memory/4016-144-0x0000000000000000-mapping.dmp

memory/4000-145-0x0000000000000000-mapping.dmp

memory/3980-146-0x0000000000000000-mapping.dmp

memory/4020-147-0x0000000000000000-mapping.dmp

memory/3964-148-0x0000000000000000-mapping.dmp

memory/3188-149-0x0000000000000000-mapping.dmp

memory/2872-150-0x0000000000000000-mapping.dmp

memory/1864-151-0x0000000000000000-mapping.dmp

memory/4040-152-0x0000000000000000-mapping.dmp

memory/2576-153-0x0000000000000000-mapping.dmp

memory/988-154-0x0000000000000000-mapping.dmp

memory/2880-155-0x0000000000000000-mapping.dmp

memory/2240-156-0x0000000000000000-mapping.dmp

memory/1800-157-0x0000000000000000-mapping.dmp

memory/628-158-0x0000000000000000-mapping.dmp

memory/2652-159-0x0000000000000000-mapping.dmp

memory/3852-160-0x0000000000000000-mapping.dmp

memory/3960-161-0x0000000000000000-mapping.dmp

memory/3836-162-0x0000000000000000-mapping.dmp

memory/2012-163-0x0000000000000000-mapping.dmp

memory/1216-164-0x0000000000000000-mapping.dmp

memory/1996-165-0x0000000000000000-mapping.dmp

memory/2140-166-0x0000000000000000-mapping.dmp

memory/1808-167-0x0000000000000000-mapping.dmp

memory/2144-168-0x0000000000000000-mapping.dmp

memory/2776-169-0x0000000000000000-mapping.dmp

memory/2340-170-0x0000000000000000-mapping.dmp

memory/2664-171-0x0000000000000000-mapping.dmp

memory/2740-172-0x0000000000000000-mapping.dmp

memory/2784-173-0x0000000000000000-mapping.dmp

memory/2800-174-0x0000000000000000-mapping.dmp

memory/4060-175-0x0000000000000000-mapping.dmp

memory/3516-176-0x0000000000000000-mapping.dmp

memory/3976-177-0x0000000000000000-mapping.dmp