Malware Analysis Report

2024-10-23 18:37

Sample ID 220220-daxx5aghfp
Target b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8
SHA256 b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8
Tags
ryuk persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8

Threat Level: Known bad

The file b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8 was found to be: Known bad.

Malicious Activity Summary

ryuk persistence ransomware

Ryuk

Checks computer location settings

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Runs net.exe

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 02:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 02:48

Reported

2022-02-20 03:13

Platform

win7-en-20211208

Max time kernel

169s

Max time network

150s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\de-DE\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\License.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VGX\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\en-US\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\es-ES\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\adcjavas.inc C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lij.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\de.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Windows\system32\taskhost.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 1928 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe

"C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "454446870-2078751958176106590-8134576631384567631-18451716916430804871910280670"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2465670201682248804342445360-1441208135-147494929748502138211315612181151664843"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-96054946-360891604534679438166864856-1328501310-517941429447967913848526202"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "269064604336753904-1425477451-169531417618726791-11397118392098539666-537786109"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM excel.exe /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "267621200125614350912333549751916971399-1443058193-17451554332039784752-119245075"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "127110865-1120333894-1631028372-801083679-919185835166161800722881281-391475204"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1967264039125433521-1938154310-15736282917993396761021852373-330305623-1989709371"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-996344263-10710380491323810969-12029603383822343131328931869710397844-1606804582"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-199109877132100817-13870003058295027821372556351-572504660-750433797588464690"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-530733491-1042048819-16494275011522122768277831677-261856073-3231329212025102922"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2078753078-87468433217617589101835880839-4916478442000623625-2002583680571840058"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM steam.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM visio.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM winword.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Agent" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop AcronisAgent /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop AcrSch2Svc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop Antivirus /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ARSM /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecManagementService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecRPCService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop bedbg /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop DCAgent /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop EPSecurityService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop EPUpdateService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop EraserSvc11710 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop EsgShKernel /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop FA_Scheduler /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop IISAdmin /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop IMAP4Svc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop macmnsvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop masvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MBAMService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MBEndpointAgent /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop McAfeeEngineService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop McAfeeFramework /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop McShield /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop McTaskManager /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop mfemms /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop mfevtp /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MMS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop mozyprobackup /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MsDtsServer /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MsDtsServer100 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MsDtsServer110 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeES /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeIS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeMTA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeSA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeSRS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$TPS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLSERVER /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MySQL80 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MySQL57 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ntrtscan /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop OracleClientCache80 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop PDVFSService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop POP3Svc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ReportServer /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ReportServer$TPS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop RESvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop sacsvr /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SAVAdminService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SamSs /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SAVService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SDRSVC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SepMasterService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ShMonitor /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SmcService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop Smcinst /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SMTPSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SNAC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SntpService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop sophossps /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLBrowser /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLWriter /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SstpSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ARSM /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop bedbg /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop Antivirus /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop EsgShKernel /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop DCAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop EPSecurityService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop EPUpdateService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop EraserSvc11710 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop svcGenericHost /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop macmnsvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSExchangeES /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MBAMService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McShield /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mozyprobackup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MsDtsServer100 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MsDtsServer110 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MMS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MsDtsServer /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SAVAdminService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SDRSVC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SamSs /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SAVService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfevtp /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop masvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MBEndpointAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeEngineService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop POP3Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McTaskManager /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeFramework /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSExchangeIS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfemms /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop IISAdmin /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSExchangeMGMT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop IMAP4Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FA_Scheduler /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSExchangeSA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSExchangeMTA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MySQL80 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerOLAPService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSExchangeSRS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ntrtscan /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MySQL57 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPSAMA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ReportServer /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sacsvr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop RESvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLSafeOLRService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLSERVERAGENT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ShMonitor /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SntpService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SNAC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sophossps /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SmcService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop Smcinst /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SMTPSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SepMasterService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop OracleClientCache80 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop swi_filter /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop svcGenericHost /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SstpSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop swi_filter /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop swi_service /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop swi_update_64 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop TmCCSF /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop swi_update_64 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop tmlisten /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop swi_service /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop TrueKey /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop UI0Detect /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop TmCCSF /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop tmlisten /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamBackupSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop TrueKey /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop TrueKeyScheduler /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamCloudSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamDeploymentService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamDeploySvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamMountSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamNFSSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamRESTSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamTransportSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop W3Svc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop wbengine /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop WRSVC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamMountSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamRESTSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop swi_update /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop UI0Detect /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "SQL Backups" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-207875557216084358961535585053-62627534910170252991265429346944331688543749467"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$PROD /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$PROD /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop msftesql$PROD /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop NetMsmqActivator /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop EhttpSrv /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop TrueKeyServiceHelper /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ekrn /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ESHASRV /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1883128261-1584453321-1893427871249438934-2106059316-120034024115951622981887000852"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamBrokerSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamBackupSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop AVP /y

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1242693563234943969-964807819-9406446821385411067614163144-957442168-863174725"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-759544431249514805185461632-13386907-122553147516940807541671310525-533227329"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop klnagent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop swi_update /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop wbengine /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop kavfsslp /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop KAVFSGT /y

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20019768331594263087-2307457942037057201-1924154471596504119801675135-954013815"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop KAVFS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop mfefire /y

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe" /f

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CXDB /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROD /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1624864516-708934170-626181988-1671009833-1213719576388338692-13333217541976319675"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROD /y

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1314033719-11593372419089304732084626982-1963170134-1727278701533952413-155575149"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetMsmqActivator /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamCloudSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop msftesql$PROD /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamCatalogSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamDeploySvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SOPHOS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-172080272-1012960816860055318-1414447162-248924883-12652228041208251459-157261772"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AVP /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop klnagent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop kavfsslp /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop KAVFS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfefire /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop KAVFSGT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop W3Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ekrn /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop WRSVC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop EhttpSrv /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESHASRV /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe" /f

Network

N/A

Files

memory/1928-55-0x000007FEFC151000-0x000007FEFC153000-memory.dmp

memory/1208-56-0x000000013F5F0000-0x000000013F624000-memory.dmp

memory/1208-57-0x000000013F5F0000-0x000000013F624000-memory.dmp

memory/1300-60-0x000000013F5F0000-0x000000013F624000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 02:48

Reported

2022-02-20 03:13

Platform

win10v2004-en-20220112

Max time kernel

175s

Max time network

195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe
PID 4012 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe C:\Windows\System32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe

"C:\Users\Admin\AppData\Local\Temp\b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM excel.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM infopath.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM onenote.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM oracle.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM outlook.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM synctime.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM steam.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM visio.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM winword.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Agent" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Health Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Message Router" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop AcronisAgent /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop AcrSch2Svc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop Antivirus /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ARSM /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecManagementService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecRPCService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop bedbg /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop DCAgent /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop EPSecurityService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop EPUpdateService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop EraserSvc11710 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop EsgShKernel /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop FA_Scheduler /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop IISAdmin /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop IMAP4Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop bedbg /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop Antivirus /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ARSM /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop macmnsvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop masvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MBAMService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MBEndpointAgent /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop McAfeeEngineService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop McAfeeFramework /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop McShield /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop McTaskManager /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop mfemms /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop mfevtp /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MMS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop mozyprobackup /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MsDtsServer /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MsDtsServer100 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MsDtsServer110 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeES /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeIS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeMGMT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeMTA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeSA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSExchangeSRS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSOLAP$TPS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop EraserSvc11710 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop EPSecurityService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop EsgShKernel /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FA_Scheduler /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop IISAdmin /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop IMAP4Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MBAMService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeEngineService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MBEndpointAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McShield /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McTaskManager /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfemms /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfevtp /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop EPUpdateService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop macmnsvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop DCAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MsDtsServer /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSExchangeMGMT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MMS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$TPS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLSERVER /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MySQL80 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSExchangeMTA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeFramework /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop masvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mozyprobackup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MsDtsServer110 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSExchangeES /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSExchangeIS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MsDtsServer100 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MySQL57 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ntrtscan /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop OracleClientCache80 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop PDVFSService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop POP3Svc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ReportServer /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ReportServer$TPS /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop RESvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop sacsvr /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SamSs /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SAVAdminService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SDRSVC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SAVService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SepMasterService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop ShMonitor /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop Smcinst /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SmcService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SMTPSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SNAC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SntpService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop sophossps /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$TPS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MySQL57 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ntrtscan /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerOLAPService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MySQL80 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop OracleClientCache80 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLBrowser /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLSafeOLRService /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLTELEMETRY /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SQLWriter /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop SstpSvc /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop svcGenericHost /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop swi_filter /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop swi_service /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop swi_update_64 /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop TmCCSF /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop tmlisten /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop TrueKey /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop TrueKeyScheduler /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 104.80.224.57:443 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp

Files

N/A