prolock | d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776

General

Target

d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
Size

15KB
MD5

ae3aab90f69a05b131bd76abe8a5a988
SHA1

e4b09d053f6d0d95a318a552fc69291874a166c9
SHA256

d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776
SHA512

2c411bf12e79e8620c1188147d6d5d0b06877ad5c60b1043e0d13a8e508dfcf85e95f3691fcd12081d60db42bc3bcf8ef00837318559fe6aac3da34e406ec714

Score

10^/10

prolock ransomware

Malware Config

Extracted

Path

C:\[HOW TO RECOVER FILES].TXT

Family

prolock

Ransom Note

Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm. [.:Nothing personal just business:.] No one can help you to restore files without our special decryption tool. To get your files back you have to pay the decryption fee in BTC. The final price depends on how fast you write to us. 1. Download TOR browser: https://www.torproject.org/ 2. Install the TOR Browser. 3. Open the TOR Browser. 4. Open our website in the TOR browser: qyyllfooubxzl5am25xoessrbnluxpj73ylgtlx25xdg74yuheaigfqd.onion 5. Login using your ID MCC1D3C303AEA0018852 ***If you have any problems connecting or using TOR network: contact our support by email chec1kyourf1les@protonmail.com. [You'll receive instructions and price inside] The decryption keys will be stored for 1 month. We also have gathered your sensitive data. We would share it in case you refuse to pay. Decryption using third party software is impossible. Attempts to self-decrypting files will result in the loss of your data.

Emails

chec1kyourf1les@protonmail.com.

URLs

http://qyyllfooubxzl5am25xoessrbnluxpj73ylgtlx25xdg74yuheaigfqd.onion

Signatures

ProLock Ransomware
Rebranded update of PwndLocker first seen in March 2020.
ransomware prolock
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops desktop.ini file(s) 64 IoCs

Processes:

d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe

description	ioc	process
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\VL9MRVWS\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\ZKOSACOX\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\ZKOSACOX\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\ZKOSACOX\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\DBS3QI6C\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\TEMPOR~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\ZKOSACOX\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\ZKOSACOX\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\H2R8HLJC\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\H2R8HLJC\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\History.IE5\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\H2R8HLJC\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\History.IE5\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Default\STARTM~1\Programs\ACCESS~1\Desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\8927RJE4\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\APPLIC~1\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\H2R8HLJC\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\AKOZAZUE\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\SendTo\Desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\STARTM~1\Programs\Startup\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\VL9MRVWS\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\TEMPOR~1\Content.IE5\DBS3QI6C\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\DBS3QI6C\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\AKOZAZUE\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\H2R8HLJC\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\ZKOSACOX\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\ZKOSACOX\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\VL9MRVWS\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\DEFAUL~1\SendTo\Desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\ZZZ3YRT4\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\E16QEJ8K\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\History.IE5\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\TEMPOR~1\Content.IE5\DBS3QI6C\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\E16QEJ8K\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\History\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\VL9MRVWS\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\VL9MRVWS\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\History\History.IE5\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\TEMPOR~1\Content.IE5\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\DBS3QI6C\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\8927RJE4\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Public\LIBRAR~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\MICROS~1\FEEDSC~1\VL9MRVWS\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\LOCALS~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\FEEDSC~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\APPLIC~1\APPLIC~1\TEMPOR~1\Content.IE5\AKOZAZUE\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\MICROS~1\FEEDSC~1\E16QEJ8K\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\DOCUME~1\Admin\AppData\Local\APPLIC~1\MICROS~1\FEEDSC~1\desktop.ini	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe

Drops file in Program Files directory 64 IoCs

Processes:

d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe

description	ioc	process
File created	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\features\OR2A73~1.V20\[HOW TO RECOVER FILES].TXT	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\COMJRO~2.165\icons\console_view.png	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\7-Zip\Lang\ca.txt	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\America\Cuiaba	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\America\Fortaleza	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Europe\Warsaw	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\features\ORGECL~4.V20\epl-v10.html	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\COMJRO~2.165\icons\day-of-week-16.png	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\7-Zip\readme.txt	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Google\Chrome\APPLIC~1\890438~1.114\VISUAL~1\LogoCanary.png	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File created	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\AUSTRA~1\[HOW TO RECOVER FILES].TXT	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Pacific\Tongatapu	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File created	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\COMJRO~1.165\html\dcommon\[HOW TO RECOVER FILES].TXT	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File created	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\COMJRO~1.165\html\dcommon\css\[HOW TO RECOVER FILES].TXT	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\ORGECL~2.V20\images\macTSFrame.png	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Google\Chrome\APPLIC~1\890438~1.114\Locales\am.pak	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File created	C:\PROGRA~1\Google\Chrome\APPLIC~1\890438~1.114\SWIFTS~1\[HOW TO RECOVER FILES].TXT	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\America\Noronha	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\America\Resolute	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\ANTARC~1\DumontDUrville	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Etc\GMT-7	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File created	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\features\OR7910~1.V20\[HOW TO RECOVER FILES].TXT	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Google\Chrome\APPLIC~1\890438~1.114\Locales\nb.pak	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Africa\Casablanca	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File created	C:\PROGRA~1\Java\JDK17~1.0_8\lib\visualvm\[HOW TO RECOVER FILES].TXT	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\America\Chihuahua	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Europe\Stockholm	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\content-types.properties	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\America\Tijuana	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Asia\Srednekolymsk	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Etc\UCT	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Pacific\Pago_Pago	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\7-Zip\descript.ion	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Google\Chrome\APPLIC~1\890438~1.114\Locales\fa.pak	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\visualvm\platform\config\Modules\org-openide-compat.xml	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Asia\Yakutsk	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Europe\Kaliningrad	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Pacific\Funafuti	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Pacific\Kiritimati	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\Indian\Cocos	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\images\cursors\win32_CopyDrop32x32.gif	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\security\US_export_policy.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Google\Chrome\APPLIC~1\890438~1.114\Locales\zh-TW.pak	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\ANTARC~1\Vostok	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\SystemV\MST7MDT	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\com.ibm.icu_52.1.0.v201404241930.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\7-Zip\Lang\da.txt	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Google\Chrome\APPLIC~1\890438~1.114\Locales\hi.pak	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\zi\AUSTRA~1\Lord_Howe	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\lib\MISSIO~1\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\db\bin\stopNetworkServer.bat	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\lib\jsse.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\db\lib\derbytools.jar	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
File opened for modification	C:\PROGRA~1\Java\JDK17~1.0_8\jre\bin\javacpl.cpl	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1612 net.exe
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

2352 vssadmin.exe
1784 vssadmin.exe
2044 vssadmin.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe

pid process

756 d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe

pid process

756 d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe

pid	process
1612	net.exe

pid	process
2352	vssadmin.exe
1784	vssadmin.exe
2044	vssadmin.exe

pid	process
756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe

pid	process
756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exevssvc.exe

description	pid	process
Token: SeSecurityPrivilege	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
Token: SeTakeOwnershipPrivilege	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
Token: SeBackupPrivilege	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
Token: SeRestorePrivilege	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
Token: SeManageVolumePrivilege	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
Token: SeDebugPrivilege	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
Token: SeBackupPrivilege	2508	vssvc.exe
Token: SeRestorePrivilege	2508	vssvc.exe
Token: SeAuditPrivilege	2508	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 756 wrote to memory of 1964	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1964	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1964	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1964	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 2016	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 2016	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 2016	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 2016	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1940	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1940	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1940	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1940	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 2016 wrote to memory of 336	2016	net.exe	net1.exe
PID 2016 wrote to memory of 336	2016	net.exe	net1.exe
PID 2016 wrote to memory of 336	2016	net.exe	net1.exe
PID 2016 wrote to memory of 336	2016	net.exe	net1.exe
PID 1940 wrote to memory of 1100	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1100	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1100	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1100	1940	net.exe	net1.exe
PID 1964 wrote to memory of 1224	1964	net.exe	net1.exe
PID 1964 wrote to memory of 1224	1964	net.exe	net1.exe
PID 1964 wrote to memory of 1224	1964	net.exe	net1.exe
PID 1964 wrote to memory of 1224	1964	net.exe	net1.exe
PID 756 wrote to memory of 696	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 696	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 696	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 696	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1340	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1340	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1340	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1340	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 696 wrote to memory of 768	696	net.exe	net1.exe
PID 696 wrote to memory of 768	696	net.exe	net1.exe
PID 696 wrote to memory of 768	696	net.exe	net1.exe
PID 696 wrote to memory of 768	696	net.exe	net1.exe
PID 1340 wrote to memory of 908	1340	net.exe	net1.exe
PID 1340 wrote to memory of 908	1340	net.exe	net1.exe
PID 1340 wrote to memory of 908	1340	net.exe	net1.exe
PID 1340 wrote to memory of 908	1340	net.exe	net1.exe
PID 756 wrote to memory of 1140	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1140	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1140	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1140	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 1140 wrote to memory of 864	1140	net.exe	net1.exe
PID 1140 wrote to memory of 864	1140	net.exe	net1.exe
PID 1140 wrote to memory of 864	1140	net.exe	net1.exe
PID 1140 wrote to memory of 864	1140	net.exe	net1.exe
PID 756 wrote to memory of 1884	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1884	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1884	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 1884	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 1884 wrote to memory of 1656	1884	net.exe	net1.exe
PID 1884 wrote to memory of 1656	1884	net.exe	net1.exe
PID 1884 wrote to memory of 1656	1884	net.exe	net1.exe
PID 1884 wrote to memory of 1656	1884	net.exe	net1.exe
PID 756 wrote to memory of 704	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 704	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 704	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 756 wrote to memory of 704	756	d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe	net.exe
PID 704 wrote to memory of 832	704	net.exe	net1.exe
PID 704 wrote to memory of 832	704	net.exe	net1.exe
PID 704 wrote to memory of 832	704	net.exe	net1.exe
PID 704 wrote to memory of 832	704	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe
"C:\Users\Admin\AppData\Local\Temp\d3f80ebec40d7c729b87c19bd8f1760a8ec88228839e7d408d571b1577b2b776.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "CSFalconService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "CSFalconService" /y
3⤵
PID:1224

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "McAfeeFramework" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeFramework" /y
3⤵
PID:336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Alerter" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Alerter" /y
3⤵
PID:1100

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "AcronisAgent" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AcronisAgent" /y
3⤵
PID:768

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
3⤵
PID:908

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecAgentAccelerator" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
3⤵
PID:864

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecDeviceMediaService" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
3⤵
PID:1656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecJobEngine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
3⤵
PID:832

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecManagementService" /y
2⤵
PID:1376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecManagementService" /y
3⤵
PID:748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecRPCService" /y
2⤵
PID:608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecRPCService" /y
3⤵
PID:952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BackupExecVSSProvider" /y
2⤵
PID:896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
3⤵
PID:1664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "DFSR" /y
2⤵
PID:1200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "DFSR" /y
3⤵
PID:1460

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPIntegrationService" /y
2⤵
PID:1556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPIntegrationService" /y
3⤵
PID:1308

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPProtectedService" /y
2⤵
PID:996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPProtectedService" /y
3⤵
PID:924

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPSecurityService" /y
2⤵
PID:1196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPSecurityService" /y
3⤵
PID:1092

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EPUpdateService" /y
2⤵
PID:288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPUpdateService" /y
3⤵
PID:1088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MB3Service" /y
2⤵
PID:1732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MB3Service" /y
3⤵
PID:1608

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MBAMService" /y
2⤵
PID:1836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBAMService" /y
3⤵
PID:2028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MBEndpointAgent" /y
2⤵
PID:2008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBEndpointAgent" /y
3⤵
PID:816

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeES" /y
2⤵
PID:1668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeES" /y
3⤵
PID:1744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMGMT" /y
2⤵
PID:1596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
3⤵
PID:2064

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMTA" /y
2⤵
PID:2072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMTA" /y
3⤵
PID:2096

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeSA" /y
2⤵
PID:2104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSA" /y
3⤵
PID:2128

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeSRS" /y
2⤵
PID:2136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSRS" /y
3⤵
PID:2176

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeADTopology" /y
2⤵
PID:2144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeADTopology" /y
3⤵
PID:2196

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeDelivery" /y
2⤵
PID:2204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeDelivery" /y
3⤵
PID:2228

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeDiagnostics" /y
2⤵
PID:2236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeDiagnostics" /y
3⤵
PID:2260

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeEdgeSync" /y
2⤵
PID:2268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeEdgeSync" /y
3⤵
PID:2292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeHM" /y
2⤵
PID:2300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeHM" /y
3⤵
PID:2324

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeHMRecovery" /y
2⤵
PID:2332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeHMRecovery" /y
3⤵
PID:2356

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeIS" /y
2⤵
PID:2364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeIS" /y
3⤵
PID:2388

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeMailboxReplication" /y
2⤵
PID:2396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMailboxReplication" /y
3⤵
PID:2420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeRPC" /y
2⤵
PID:2428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeRPC" /y
3⤵
PID:2452

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeRepl" /y
2⤵
PID:2460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeRepl" /y
3⤵
PID:2484

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeServiceHost" /y
2⤵
PID:2492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeServiceHost" /y
3⤵
PID:2516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeTransport" /y
2⤵
PID:2524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeTransport" /y
3⤵
PID:2548

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeUM" /y
2⤵
PID:2556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeUM" /y
3⤵
PID:2580

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSExchangeUMCR" /y
2⤵
PID:2588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeUMCR" /y
3⤵
PID:2612

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$*" /y
2⤵
PID:2620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$*" /y
3⤵
PID:2644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y
2⤵
PID:2652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
3⤵
PID:2676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MsDtsServer" /y
2⤵
PID:2684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer" /y
3⤵
PID:2708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MySQL57" /y
2⤵
PID:2716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MySQL57" /y
3⤵
PID:2740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "OSearch15" /y
2⤵
PID:2748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OSearch15" /y
3⤵
PID:2772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "OracleClientCache80" /y
2⤵
PID:2780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OracleClientCache80" /y
3⤵
PID:2804

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "QuickBooksDB25" /y
2⤵
PID:2812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "QuickBooksDB25" /y
3⤵
PID:2836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPAdminV4" /y
2⤵
PID:2844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPAdminV4" /y
3⤵
PID:2868

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPSearchHostController" /y
2⤵
PID:2876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPSearchHostController" /y
3⤵
PID:2900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPTraceV4" /y
2⤵
PID:2908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPTraceV4" /y
3⤵
PID:2932

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPUserCodeV4" /y
2⤵
PID:2940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPUserCodeV4" /y
3⤵
PID:2964

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SPWriterV4" /y
2⤵
PID:2972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SPWriterV4" /y
3⤵
PID:2996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBrowser" /y
2⤵
PID:3004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBrowser" /y
3⤵
PID:3028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLSafeOLRService" /y
2⤵
PID:3036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
3⤵
PID:3060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
2⤵
PID:3068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
3⤵
PID:2100

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLSERVERAGENT" /y
2⤵
PID:1072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
3⤵
PID:1268

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLTELEMETRY" /y
2⤵
PID:632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
3⤵
PID:1740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBackups" /y
2⤵
PID:2076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBackups" /y
3⤵
PID:1644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$*" /y
2⤵
PID:952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$*" /y
3⤵
PID:1048

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$*" /y
2⤵
PID:440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$*" /y
3⤵
PID:836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSMQ" /y
2⤵
PID:1588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSMQ" /y
3⤵
PID:1832

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer" /y
2⤵
PID:980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer" /y
3⤵
PID:1016

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$*" /y
2⤵
PID:2016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$*" /y
3⤵
PID:864

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLWriter" /y
2⤵
PID:580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLWriter" /y
3⤵
PID:1508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLBackupAgent" /y
2⤵
PID:704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBackupAgent" /y
3⤵
PID:288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
2⤵
PID:1748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
3⤵
PID:1656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SyncoveryVSSService" /y
2⤵
PID:748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SyncoveryVSSService" /y
3⤵
PID:1836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamBackupSvc" /y
2⤵
PID:1636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
3⤵
PID:1828

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamCatalogSvc" /y
2⤵
PID:1116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
3⤵
PID:2040

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamCloudSvc" /y
2⤵
PID:1940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
3⤵
PID:1264

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamEndpointBackupSvc" /y
2⤵
PID:1964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEndpointBackupSvc" /y
3⤵
PID:2176

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamEnterpriseManagerSvc" /y
2⤵
PID:2172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
3⤵
PID:1792

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamMountSvc" /y
2⤵
PID:1196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamMountSvc" /y
3⤵
PID:1568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamNFSSvc" /y
2⤵
PID:2112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
3⤵
PID:1184

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamRESTSvc" /y
2⤵
PID:1248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
3⤵
PID:2008

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VeeamTransportSvc /y
2⤵
PID:1552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamTransportSvc /y
3⤵
PID:1028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
2⤵
PID:2196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
3⤵
PID:2216

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "epag" /y
2⤵
PID:2228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "epag" /y
3⤵
PID:2248

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "epredline" /y
2⤵
PID:2260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "epredline" /y
3⤵
PID:2280

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "mozyprobackup" /y
2⤵
PID:2292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mozyprobackup" /y
3⤵
PID:2312

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "masvc" /y
2⤵
PID:2324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "masvc" /y
3⤵
PID:2344

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "macmnsvc" /y
2⤵
PID:2356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "macmnsvc" /y
3⤵
PID:2376

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "mfemms" /y
2⤵
PID:2388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mfemms" /y
3⤵
PID:2408

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "McAfeeDLPAgentService" /y
2⤵
PID:2424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeDLPAgentService" /y
3⤵
PID:2404

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "psqlWGE" /y
2⤵
PID:2456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "psqlWGE" /y
3⤵
PID:2436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "swprv" /y
2⤵
PID:2488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swprv" /y
3⤵
PID:2468

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "wsbexchange" /y
2⤵
PID:2520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wsbexchange" /y
3⤵
PID:2500

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "WinVNC4" /y
2⤵
PID:2552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WinVNC4" /y
3⤵
PID:2532

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "TMBMServer" /y
2⤵
PID:2584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TMBMServer" /y
3⤵
PID:2564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "tmccsf" /y
2⤵
PID:2616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmccsf" /y
3⤵
PID:2596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "tmlisten" /y
2⤵
PID:2648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmlisten" /y
3⤵
PID:2628

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "VSNAPVSS" /y
2⤵
PID:2680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSNAPVSS" /y
3⤵
PID:2660

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "stc_endpt_svc" /y
2⤵
PID:2712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "stc_endpt_svc" /y
3⤵
PID:2692

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "wbengine" /y
2⤵
PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:2724

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "bbagent" /y
2⤵
PID:2776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "bbagent" /y
3⤵
PID:2756

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "NasPmService" /y
2⤵
PID:2808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NasPmService" /y
3⤵
PID:2788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BASupportExpressStandaloneService_N_Central" /y
2⤵
PID:2840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BASupportExpressStandaloneService_N_Central" /y
3⤵
PID:2820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "BASupportExpressSrvcUpdater_N_Central" /y
2⤵
PID:2872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BASupportExpressSrvcUpdater_N_Central" /y
3⤵
PID:2852

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "hasplms" /y
2⤵
PID:2904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "hasplms" /y
3⤵
PID:2884

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EqlVss" /y
2⤵
PID:2936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EqlVss" /y
3⤵
PID:2916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "EqlReqService" /y
2⤵
PID:2968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EqlReqService" /y
3⤵
PID:2948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "RapidRecoveryAgent" /y
2⤵
PID:3000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "RapidRecoveryAgent" /y
3⤵
PID:2980

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "YTBackup" /y
2⤵
PID:3032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "YTBackup" /y
3⤵
PID:3012

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "vhdsvc" /y
2⤵
PID:3064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vhdsvc" /y
3⤵
PID:3044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "TeamViewer" /y
2⤵
- Discovers systems in the same network
PID:1612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TeamViewer" /y
3⤵
PID:2084

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$SQL_2008" /y
2⤵
PID:2132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
3⤵
PID:1760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$SYSTEM_BGC" /y
2⤵
PID:2088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
3⤵
PID:2024

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$TPS" /y
2⤵
PID:1136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
3⤵
PID:1460

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSOLAP$TPSAMA" /y
2⤵
PID:1448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
3⤵
PID:1456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$BKUPEXEC" /y
2⤵
PID:300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
3⤵
PID:1648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$ECWDB2" /y
2⤵
PID:1096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
3⤵
PID:528

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PRACTICEMGT" /y
2⤵
PID:768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
3⤵
PID:520

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PRACTTICEBGC" /y
2⤵
PID:2020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
3⤵
PID:324

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PROD" /y
2⤵
PID:832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROD" /y
3⤵
PID:1564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$PROFXENGAGEMENT" /y
2⤵
PID:1176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
3⤵
PID:1336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SBSMONITORING" /y
2⤵
PID:1092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
3⤵
PID:1664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SHAREPOINT" /y
2⤵
PID:1536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
3⤵
PID:2168

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SOPHOS" /y
2⤵
PID:1340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
3⤵
PID:1616

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SQL_2008" /y
2⤵
PID:1604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
3⤵
PID:2188

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SQLEXPRESS" /y
2⤵
PID:460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
3⤵
PID:1676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$SYSTEM_BGC" /y
2⤵
PID:1000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
3⤵
PID:1112

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$TPS" /y
2⤵
PID:2136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPS" /y
3⤵
PID:1704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$TPSAMA" /y
2⤵
PID:2104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
3⤵
PID:1504

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2008R2" /y
2⤵
PID:1780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
3⤵
PID:2012

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2012" /y
2⤵
PID:652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
3⤵
PID:1368

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher" /y
2⤵
PID:1520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
3⤵
PID:1596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
2⤵
PID:2164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
3⤵
PID:2148

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SBSMONITORING" /y
2⤵
PID:2204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
3⤵
PID:2224

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SHAREPOINT" /y
2⤵
PID:2236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
3⤵
PID:2252

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SQL_2008" /y
2⤵
PID:2268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
3⤵
PID:2284

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SYSTEM_BGC" /y
2⤵
PID:2300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
3⤵
PID:2316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPS" /y
2⤵
PID:2352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
3⤵
PID:2348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPSAMA" /y
2⤵
PID:2364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
3⤵
PID:2380

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y
2⤵
PID:2416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
3⤵
PID:2396

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper" /y
2⤵
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
3⤵
PID:2428

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100" /y
2⤵
PID:1584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
3⤵
PID:2488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "MSSQLServerOLAPService" /y
2⤵
PID:2464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
3⤵
PID:2520

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$BKUPEXEC" /y
2⤵
PID:2512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
3⤵
PID:2552

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$CITRIX_METAFRAME" /y
2⤵
PID:2528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
3⤵
PID:2584

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$CXDB" /y
2⤵
PID:2576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
3⤵
PID:2616

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$ECWDB2" /y
2⤵
PID:2604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
3⤵
PID:2648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEBGC" /y
2⤵
PID:2640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
3⤵
PID:2680

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEMGT" /y
2⤵
PID:2672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
3⤵
PID:2712

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PROD" /y
2⤵
PID:2704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
3⤵
PID:2744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$PROFXENGAGEMENT" /y
2⤵
PID:2736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
3⤵
PID:2776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SBSMONITORING" /y
2⤵
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
3⤵
PID:2808

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SHAREPOINT" /y
2⤵
PID:2784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
3⤵
PID:2840

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SOPHOS" /y
2⤵
PID:2828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
3⤵
PID:2872

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SQL_2008" /y
2⤵
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
3⤵
PID:2904

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SQLEXPRESS" /y
2⤵
PID:2896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
3⤵
PID:2936

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$SYSTEM_BGC" /y
2⤵
PID:2924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
3⤵
PID:2968

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$TPS" /y
2⤵
PID:2960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
3⤵
PID:3000

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$TPSAMA" /y
2⤵
PID:2976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
3⤵
PID:3032

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2008R2" /y
2⤵
PID:3020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
3⤵
PID:3064

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2012" /y
2⤵
PID:3052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
3⤵
PID:1612

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$SQL_2008" /y
2⤵
PID:1628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
3⤵
PID:2132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$SYSTEM_BGC" /y
2⤵
PID:560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
3⤵
PID:2088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$TPS" /y
2⤵
PID:2068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPS" /y
3⤵
PID:1136

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "ReportServer$TPSAMA" /y
2⤵
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
3⤵
PID:1448

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1784

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:2044

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:2352