Malware Analysis Report

2024-10-16 03:14

Sample ID 220306-c24z3shgh2
Target 6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d
SHA256 6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d
Tags
conti ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d

Threat Level: Known bad

The file 6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d was found to be: Known bad.

Malicious Activity Summary

conti ransomware

Conti Ransomware

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Drops desktop.ini file(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-06 02:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-06 02:35

Reported

2022-03-06 02:37

Platform

win7-en-20211208

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe"

Signatures

Conti Ransomware

ransomware conti

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CheckpointDismount.raw => C:\Users\Admin\Pictures\CheckpointDismount.raw.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\ExportOpen.tif => C:\Users\Admin\Pictures\ExportOpen.tif.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\FormatLock.crw => C:\Users\Admin\Pictures\FormatLock.crw.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteResolve.tif => C:\Users\Admin\Pictures\CompleteResolve.tif.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveEnable.png => C:\Users\Admin\Pictures\ResolveEnable.png.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\OpenUnpublish.raw => C:\Users\Admin\Pictures\OpenUnpublish.raw.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\CompareWait.crw => C:\Users\Admin\Pictures\CompareWait.crw.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectRead.png => C:\Users\Admin\Pictures\UnprotectRead.png.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1500 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1500 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1500 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1180 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1384 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1384 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1384 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1180 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1840 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1840 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1840 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1180 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1568 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1568 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1568 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1180 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1812 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1812 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1812 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1180 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1592 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1592 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1592 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1180 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1008 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1008 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1008 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1180 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1756 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1756 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1756 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe

"C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcronisAgent /y

C:\Windows\SysWOW64\net.exe

net stop AcronisAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net.exe

net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Antivirus /y

C:\Windows\SysWOW64\net.exe

net stop Antivirus /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Antivirus /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ARSM /y

C:\Windows\SysWOW64\net.exe

net stop ARSM /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ARSM /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop bedbg /y

C:\Windows\SysWOW64\net.exe

net stop bedbg /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop bedbg /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop DCAgent /y

C:\Windows\SysWOW64\net.exe

net stop DCAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop DCAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPSecurityService /y

C:\Windows\SysWOW64\net.exe

net stop EPSecurityService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPSecurityService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPUpdateService /y

C:\Windows\SysWOW64\net.exe

net stop EPUpdateService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPUpdateService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net.exe

net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EraserSvc11710 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EsgShKernel /y

C:\Windows\SysWOW64\net.exe

net stop EsgShKernel /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EsgShKernel /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop FA_Scheduler /y

C:\Windows\SysWOW64\net.exe

net stop FA_Scheduler /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop FA_Scheduler /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IISAdmin /y

C:\Windows\SysWOW64\net.exe

net stop IISAdmin /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IISAdmin /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IMAP4Svc /y

C:\Windows\SysWOW64\net.exe

net stop IMAP4Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IMAP4Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McShield /y

C:\Windows\SysWOW64\net.exe

net stop McShield /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McShield /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McTaskManager /y

C:\Windows\SysWOW64\net.exe

net stop McTaskManager /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McTaskManager /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfemms /y

C:\Windows\SysWOW64\net.exe

net stop mfemms /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfemms /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfevtp /y

C:\Windows\SysWOW64\net.exe

net stop mfevtp /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfevtp /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MMS /y

C:\Windows\SysWOW64\net.exe

net stop MMS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MMS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mozyprobackup /y

C:\Windows\SysWOW64\net.exe

net stop mozyprobackup /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mozyprobackup /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer110 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeES /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeES /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeES /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeIS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeIS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeIS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMGMT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMTA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSRS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MySQL57 /y

C:\Windows\SysWOW64\net.exe

net stop MySQL57 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MySQL57 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ntrtscan /y

C:\Windows\SysWOW64\net.exe

net stop ntrtscan /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ntrtscan /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net.exe

net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop OracleClientCache80 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop PDVFSService /y

C:\Windows\SysWOW64\net.exe

net stop PDVFSService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop POP3Svc /y

C:\Windows\SysWOW64\net.exe

net stop POP3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop POP3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop RESvc /y

C:\Windows\SysWOW64\net.exe

net stop RESvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop RESvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop sacsvr /y

C:\Windows\SysWOW64\net.exe

net stop sacsvr /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sacsvr /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SamSs /y

C:\Windows\SysWOW64\net.exe

net stop SamSs /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SamSs /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVAdminService /y

C:\Windows\SysWOW64\net.exe

net stop SAVAdminService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVAdminService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVService /y

C:\Windows\SysWOW64\net.exe

net stop SAVService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SDRSVC /y

C:\Windows\SysWOW64\net.exe

net stop SDRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SDRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SepMasterService /y

C:\Windows\SysWOW64\net.exe

net stop SepMasterService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SepMasterService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ShMonitor /y

C:\Windows\SysWOW64\net.exe

net stop ShMonitor /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ShMonitor /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Smcinst /y

C:\Windows\SysWOW64\net.exe

net stop Smcinst /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Smcinst /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SmcService /y

C:\Windows\SysWOW64\net.exe

net stop SmcService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SmcService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SMTPSvc /y

C:\Windows\SysWOW64\net.exe

net stop SMTPSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SMTPSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\SysWOW64\net.exe

net stop SQLBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net.exe

net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSafeOLRService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\SysWOW64\net.exe

net stop SQLWriter /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBackupSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCloudSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploySvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamMountSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamRESTSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop W3Svc /y

C:\Windows\SysWOW64\net.exe

net stop W3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop W3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop WRSVC /y

C:\Windows\SysWOW64\net.exe

net stop WRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop swi_update /y

C:\Windows\SysWOW64\net.exe

net stop swi_update /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop swi_update /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop msftesql$PROD /y

C:\Windows\SysWOW64\net.exe

net stop msftesql$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop msftesql$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net.exe

net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop NetMsmqActivator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EhttpSrv /y

C:\Windows\SysWOW64\net.exe

net stop EhttpSrv /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EhttpSrv /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ekrn /y

C:\Windows\SysWOW64\net.exe

net stop ekrn /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ekrn /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ESHASRV /y

C:\Windows\SysWOW64\net.exe

net stop ESHASRV /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ESHASRV /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AVP /y

C:\Windows\SysWOW64\net.exe

net stop AVP /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AVP /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop klnagent /y

C:\Windows\SysWOW64\net.exe

net stop klnagent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop klnagent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfefire /y

C:\Windows\SysWOW64\net.exe

net stop mfefire /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfefire /y

Network

N/A

Files

memory/1180-55-0x0000000075831000-0x0000000075833000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-06 02:35

Reported

2022-03-06 02:37

Platform

win10v2004-en-20220112

Max time kernel

94s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe"

Signatures

Conti Ransomware

ransomware conti

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UndoSkip.tif => C:\Users\Admin\Pictures\UndoSkip.tif.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointClose.crw => C:\Users\Admin\Pictures\CheckpointClose.crw.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\ExportUnpublish.png => C:\Users\Admin\Pictures\ExportUnpublish.png.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\StopUpdate.crw => C:\Users\Admin\Pictures\StopUpdate.crw.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\StepDismount.raw => C:\Users\Admin\Pictures\StepDismount.raw.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\SyncSave.tif => C:\Users\Admin\Pictures\SyncSave.tif.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\ResizeGet.raw => C:\Users\Admin\Pictures\ResizeGet.raw.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\PingClear.raw => C:\Users\Admin\Pictures\PingClear.raw.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File renamed C:\Users\Admin\Pictures\GrantNew.png => C:\Users\Admin\Pictures\GrantNew.png.CONTI C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3996 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3448 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3448 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2392 wrote to memory of 2268 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2392 wrote to memory of 2268 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2392 wrote to memory of 2268 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3996 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3260 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3260 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3260 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3932 wrote to memory of 3364 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3932 wrote to memory of 3364 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3932 wrote to memory of 3364 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3996 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe

"C:\Users\Admin\AppData\Local\Temp\6f0c6f447a18ad9fd81382b062d16d07eede05a15ab75870c0fdb43d421bb42d.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcronisAgent /y

C:\Windows\SysWOW64\net.exe

net stop AcronisAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net.exe

net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Antivirus /y

C:\Windows\SysWOW64\net.exe

net stop Antivirus /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Antivirus /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ARSM /y

C:\Windows\SysWOW64\net.exe

net stop ARSM /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ARSM /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop bedbg /y

C:\Windows\SysWOW64\net.exe

net stop bedbg /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop bedbg /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop DCAgent /y

C:\Windows\SysWOW64\net.exe

net stop DCAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop DCAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPSecurityService /y

C:\Windows\SysWOW64\net.exe

net stop EPSecurityService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPSecurityService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPUpdateService /y

C:\Windows\SysWOW64\net.exe

net stop EPUpdateService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPUpdateService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net.exe

net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EraserSvc11710 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EsgShKernel /y

C:\Windows\SysWOW64\net.exe

net stop EsgShKernel /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EsgShKernel /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop FA_Scheduler /y

C:\Windows\SysWOW64\net.exe

net stop FA_Scheduler /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop FA_Scheduler /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IISAdmin /y

C:\Windows\SysWOW64\net.exe

net stop IISAdmin /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IISAdmin /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IMAP4Svc /y

C:\Windows\SysWOW64\net.exe

net stop IMAP4Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IMAP4Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McShield /y

C:\Windows\SysWOW64\net.exe

net stop McShield /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McShield /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McTaskManager /y

C:\Windows\SysWOW64\net.exe

net stop McTaskManager /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McTaskManager /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfemms /y

C:\Windows\SysWOW64\net.exe

net stop mfemms /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfemms /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfevtp /y

C:\Windows\SysWOW64\net.exe

net stop mfevtp /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfevtp /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MMS /y

C:\Windows\SysWOW64\net.exe

net stop MMS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MMS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mozyprobackup /y

C:\Windows\SysWOW64\net.exe

net stop mozyprobackup /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mozyprobackup /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer110 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeES /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeES /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeES /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeIS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeIS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeIS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMGMT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMTA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSRS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MySQL57 /y

C:\Windows\SysWOW64\net.exe

net stop MySQL57 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MySQL57 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ntrtscan /y

C:\Windows\SysWOW64\net.exe

net stop ntrtscan /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ntrtscan /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net.exe

net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop OracleClientCache80 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop PDVFSService /y

C:\Windows\SysWOW64\net.exe

net stop PDVFSService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop POP3Svc /y

C:\Windows\SysWOW64\net.exe

net stop POP3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop POP3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop RESvc /y

C:\Windows\SysWOW64\net.exe

net stop RESvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop RESvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop sacsvr /y

C:\Windows\SysWOW64\net.exe

net stop sacsvr /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sacsvr /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SamSs /y

C:\Windows\SysWOW64\net.exe

net stop SamSs /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SamSs /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVAdminService /y

C:\Windows\SysWOW64\net.exe

net stop SAVAdminService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVAdminService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVService /y

C:\Windows\SysWOW64\net.exe

net stop SAVService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SDRSVC /y

C:\Windows\SysWOW64\net.exe

net stop SDRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SDRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SepMasterService /y

C:\Windows\SysWOW64\net.exe

net stop SepMasterService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SepMasterService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ShMonitor /y

C:\Windows\SysWOW64\net.exe

net stop ShMonitor /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ShMonitor /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Smcinst /y

C:\Windows\SysWOW64\net.exe

net stop Smcinst /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Smcinst /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SmcService /y

C:\Windows\SysWOW64\net.exe

net stop SmcService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SmcService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SMTPSvc /y

C:\Windows\SysWOW64\net.exe

net stop SMTPSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SMTPSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\SysWOW64\net.exe

net stop SQLBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net.exe

net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSafeOLRService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\SysWOW64\net.exe

net stop SQLWriter /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBackupSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCloudSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploySvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamMountSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamRESTSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop W3Svc /y

C:\Windows\SysWOW64\net.exe

net stop W3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop W3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop WRSVC /y

C:\Windows\SysWOW64\net.exe

net stop WRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop swi_update /y

C:\Windows\SysWOW64\net.exe

net stop swi_update /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop swi_update /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop msftesql$PROD /y

C:\Windows\SysWOW64\net.exe

net stop msftesql$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop msftesql$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net.exe

net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop NetMsmqActivator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EhttpSrv /y

C:\Windows\SysWOW64\net.exe

net stop EhttpSrv /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EhttpSrv /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ekrn /y

C:\Windows\SysWOW64\net.exe

net stop ekrn /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ekrn /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ESHASRV /y

C:\Windows\SysWOW64\net.exe

net stop ESHASRV /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ESHASRV /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AVP /y

C:\Windows\SysWOW64\net.exe

net stop AVP /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AVP /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop klnagent /y

C:\Windows\SysWOW64\net.exe

net stop klnagent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop klnagent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfefire /y

C:\Windows\SysWOW64\net.exe

net stop mfefire /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfefire /y

Network

Country Destination Domain Proto
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.137.103.96:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp

Files

N/A