Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.msi
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
8Ransomware...KB.exe
windows10-2004-x64
10Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1639s -
max time network
1652s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral18
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Pysa_08_04_2021_500KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
RansomwareSamples/REvil_07_04_2021_121KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
RansomwareSamples/REvil_08_04_2021_121KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Ragnar_11_02_2020_40KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Ranzy_20_11_2020_138KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Ryuk_21_03_2021_274KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral30
Sample
RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
RansomwareSamples/Thanos_23_03_2021_91KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral32
Sample
RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Resource
win10v2004-20220812-en
General
-
Target
RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
-
Size
17KB
-
MD5
16a29314e8563135b18668036a6f63c8
-
SHA1
90cf5ca4df9d78cf92bb865b5b399a4d2752e55b
-
SHA256
4e6c191325b37da546e72f4a7334d820995d744bf7bb1a03605adb3ad30ce9ca
-
SHA512
45c023e6dd4202079e913b8946825b47fab30b584bbd79b0416152cc4a54975b12205393827289c1f03feb71b54d3b6b34490be3001e9b565c1f89e13e752032
-
SSDEEP
384:RJueT9Jtx33bRsoOjhveu+q7hPOx58Zbxe:RJueJx33bDO1uMbc
Malware Config
Extracted
C:\H0w_T0_Rec0very_Files.txt
http://ax3spapdymip4jpy.onion
Signatures
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\DisconnectCopy.raw => C:\Users\Admin\Pictures\DisconnectCopy.raw.pwnd PwndLocker_04_03_2020_17KB.exe File renamed C:\Users\Admin\Pictures\FormatRequest.tif => C:\Users\Admin\Pictures\FormatRequest.tif.pwnd PwndLocker_04_03_2020_17KB.exe File renamed C:\Users\Admin\Pictures\StartConnect.png => C:\Users\Admin\Pictures\StartConnect.png.pwnd PwndLocker_04_03_2020_17KB.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation PwndLocker_04_03_2020_17KB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 28 IoCs
description ioc Process File opened for modification C:\Users\Admin\DOWNLO~1\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Public\Music\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Public\Pictures\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\MICROS~2\root\Office16\1033\DATASE~1\DESKTOP.INI PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\FAVORI~1\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\SAVEDG~1\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\Videos\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Public\ACCOUN~1\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Public\Videos\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\DOCUME~1\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\Searches\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Public\Desktop\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Public\Downloads\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Public\Libraries\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\FAVORI~1\Links\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\Pictures\SAVEDP~1\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Public\Documents\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\Links\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\Music\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Public\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\3DOBJE~1\desktop.ini PwndLocker_04_03_2020_17KB.exe File opened for modification C:\Users\Admin\Pictures\CAMERA~1\desktop.ini PwndLocker_04_03_2020_17KB.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\ADD-AC~1\css\main-selector.css PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\p2\ORGECL~1.COR\cache\artifacts.xml PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\MICROS~2\root\LICENS~1\ProjectProVL_MAK-ul-oob.xrm-ms PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\SEND-F~1\js\nls\tr-tr\ui-strings.js PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\SIGNAT~1\js\nls\tr-tr\ui-strings.js PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\plugins\COMJRO~1.165\META-INF\MANIFEST.MF PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\app\dev\nls\en-ae\ui-strings.js PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\editpdf\js\nls\sv-se\ui-strings.js PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\ON-BOA~1\images\THEMEL~1\LOCALI~1\ja-jp\AppStore_icon.svg PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~3\PACKAG~1\{E30D8~1.406\packages\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\ON-BOA~1\images\THEMEL~1\ro_get.svg PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\TRACKE~1\js\viewer\nls\ko-kr\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\ON-BOA~1\images\THEMEL~1\LOCALI~1\sv-se\PlayStore_icon.svg PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\SCAN-F~1\js\nls\ko-kr\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\7-Zip\Lang\az.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\MY-COM~1\images\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\OB-PRE~1\js\nls\zh-cn\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\APP-CE~1\js\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\platform\UPDATE~1\org-openide-windows.xml PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroApp\ENU\Edit_R_RHP.aapp PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JRE18~1.0_6\lib\sound.properties PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\images\S_IlluCCFilesEmpty_180x180.svg PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\SIGN-S~1\js\nls\sv-se\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\TRACKE~1\js\plugins\TRACKE~1\images\sat_logo_2x.png PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~1\VideoLAN\VLC\locale\pa\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\plugins\COMJRO~2.165\schema\com.jrockit.mc.rjmx.service.exsd PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\MICROS~2\root\loc\AppXManifestLoc.16.en-us.xml PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~1\VideoLAN\VLC\locale\af\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\UNIFIE~1\js\nls\root\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Google\Chrome\APPLIC~1\890438~1.114\Locales\sr.pak PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\MICROS~2\root\LICENS~1\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\OB-PRE~1\js\nls\de-de\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\MICROS~2\root\Office16\PAGESIZE\PGMN020.XML PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~1\MICROS~2\root\Office16\sdxs\FA0000~1\cardview\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\fss\img\themes\dark\core_icons_retina.png PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\home\js\nls\en-gb\ui-strings.js PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\aicuc\js\nls\nb-no\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\my-files\js\nls\en-il\ui-strings.js PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\my-files\js\nls\ja-jp\ui-strings.js PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\USS-SE~1\js\nls\nl-nl\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\icudtl.dat PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\APP-CE~1\js\nls\ui-strings.js PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\TRACKE~1\js\plugins\TRACKE~1\js\nls\fr-ma\ui-strings.js PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\ADD-AC~1\js\nls\ko-kr\ui-strings.js PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\EXPORT~1\images\themes\dark\example_icons.png PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\MY-COM~2\js\nls\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\OB-PRE~1\images\THEMEL~1\measure_poster.jpg PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~1\Java\JDK18~1.0_6\lib\MISSIO~1\features\ORGECL~3.V20\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\MICROS~2\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\images\S_IlluNoSearchResults_180x160.svg PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\ACTIVI~1\js\nls\pl-pl\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File created C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\SEND-F~1\js\nls\sk-sk\H0w_T0_Rec0very_Files.txt PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\MICROS~2\root\LICENS~1\HomeBusiness2019R_Retail-pl.xrm-ms PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\MICROS~2\root\LICENS~1\ProjectProO365R_SubTrial-pl.xrm-ms PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\MICROS~2\root\Office16\sdxs\FA0000~1\cardview\lib\NATIVE~1\assets\[email protected] PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\MICROS~2\root\vfs\PROGRA~1\MICROS~1\THEMES16\BLUECALM\THMBNAIL.PNG PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~1\Java\JDK18~1.0_6\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar PwndLocker_04_03_2020_17KB.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WEBRES~1\RESOUR~1\static\js\plugins\ON-BOA~1\images\THEMEL~1\pdf-ownership-rdr-ja_jp_2x.gif PwndLocker_04_03_2020_17KB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 1160 net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4216 PwndLocker_04_03_2020_17KB.exe 4216 PwndLocker_04_03_2020_17KB.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4216 PwndLocker_04_03_2020_17KB.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4216 PwndLocker_04_03_2020_17KB.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4216 wrote to memory of 2004 4216 PwndLocker_04_03_2020_17KB.exe 81 PID 4216 wrote to memory of 2004 4216 PwndLocker_04_03_2020_17KB.exe 81 PID 4216 wrote to memory of 2004 4216 PwndLocker_04_03_2020_17KB.exe 81 PID 2004 wrote to memory of 5032 2004 net.exe 84 PID 2004 wrote to memory of 5032 2004 net.exe 84 PID 2004 wrote to memory of 5032 2004 net.exe 84 PID 4216 wrote to memory of 4804 4216 PwndLocker_04_03_2020_17KB.exe 83 PID 4216 wrote to memory of 4804 4216 PwndLocker_04_03_2020_17KB.exe 83 PID 4216 wrote to memory of 4804 4216 PwndLocker_04_03_2020_17KB.exe 83 PID 4804 wrote to memory of 4964 4804 net.exe 86 PID 4804 wrote to memory of 4964 4804 net.exe 86 PID 4804 wrote to memory of 4964 4804 net.exe 86 PID 4216 wrote to memory of 4536 4216 PwndLocker_04_03_2020_17KB.exe 87 PID 4216 wrote to memory of 4536 4216 PwndLocker_04_03_2020_17KB.exe 87 PID 4216 wrote to memory of 4536 4216 PwndLocker_04_03_2020_17KB.exe 87 PID 4536 wrote to memory of 4884 4536 net.exe 89 PID 4536 wrote to memory of 4884 4536 net.exe 89 PID 4536 wrote to memory of 4884 4536 net.exe 89 PID 4216 wrote to memory of 5108 4216 PwndLocker_04_03_2020_17KB.exe 90 PID 4216 wrote to memory of 5108 4216 PwndLocker_04_03_2020_17KB.exe 90 PID 4216 wrote to memory of 5108 4216 PwndLocker_04_03_2020_17KB.exe 90 PID 5108 wrote to memory of 1352 5108 net.exe 92 PID 5108 wrote to memory of 1352 5108 net.exe 92 PID 5108 wrote to memory of 1352 5108 net.exe 92 PID 4216 wrote to memory of 2200 4216 PwndLocker_04_03_2020_17KB.exe 93 PID 4216 wrote to memory of 2200 4216 PwndLocker_04_03_2020_17KB.exe 93 PID 4216 wrote to memory of 2200 4216 PwndLocker_04_03_2020_17KB.exe 93 PID 2200 wrote to memory of 5004 2200 net.exe 95 PID 2200 wrote to memory of 5004 2200 net.exe 95 PID 2200 wrote to memory of 5004 2200 net.exe 95 PID 4216 wrote to memory of 1864 4216 PwndLocker_04_03_2020_17KB.exe 96 PID 4216 wrote to memory of 1864 4216 PwndLocker_04_03_2020_17KB.exe 96 PID 4216 wrote to memory of 1864 4216 PwndLocker_04_03_2020_17KB.exe 96 PID 1864 wrote to memory of 4532 1864 net.exe 98 PID 1864 wrote to memory of 4532 1864 net.exe 98 PID 1864 wrote to memory of 4532 1864 net.exe 98 PID 4216 wrote to memory of 1916 4216 PwndLocker_04_03_2020_17KB.exe 99 PID 4216 wrote to memory of 1916 4216 PwndLocker_04_03_2020_17KB.exe 99 PID 4216 wrote to memory of 1916 4216 PwndLocker_04_03_2020_17KB.exe 99 PID 1916 wrote to memory of 3196 1916 net.exe 101 PID 1916 wrote to memory of 3196 1916 net.exe 101 PID 1916 wrote to memory of 3196 1916 net.exe 101 PID 4216 wrote to memory of 2848 4216 PwndLocker_04_03_2020_17KB.exe 102 PID 4216 wrote to memory of 2848 4216 PwndLocker_04_03_2020_17KB.exe 102 PID 4216 wrote to memory of 2848 4216 PwndLocker_04_03_2020_17KB.exe 102 PID 2848 wrote to memory of 220 2848 net.exe 104 PID 2848 wrote to memory of 220 2848 net.exe 104 PID 2848 wrote to memory of 220 2848 net.exe 104 PID 4216 wrote to memory of 232 4216 PwndLocker_04_03_2020_17KB.exe 105 PID 4216 wrote to memory of 232 4216 PwndLocker_04_03_2020_17KB.exe 105 PID 4216 wrote to memory of 232 4216 PwndLocker_04_03_2020_17KB.exe 105 PID 232 wrote to memory of 4332 232 net.exe 107 PID 232 wrote to memory of 4332 232 net.exe 107 PID 232 wrote to memory of 4332 232 net.exe 107 PID 4216 wrote to memory of 4284 4216 PwndLocker_04_03_2020_17KB.exe 108 PID 4216 wrote to memory of 4284 4216 PwndLocker_04_03_2020_17KB.exe 108 PID 4216 wrote to memory of 4284 4216 PwndLocker_04_03_2020_17KB.exe 108 PID 4284 wrote to memory of 3656 4284 net.exe 110 PID 4284 wrote to memory of 3656 4284 net.exe 110 PID 4284 wrote to memory of 3656 4284 net.exe 110 PID 4216 wrote to memory of 3936 4216 PwndLocker_04_03_2020_17KB.exe 111 PID 4216 wrote to memory of 3936 4216 PwndLocker_04_03_2020_17KB.exe 111 PID 4216 wrote to memory of 3936 4216 PwndLocker_04_03_2020_17KB.exe 111 PID 3936 wrote to memory of 2100 3936 net.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\PwndLocker_04_03_2020_17KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\PwndLocker_04_03_2020_17KB.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "CSFalconService" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "CSFalconService" /y3⤵PID:5032
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "McAfeeFramework" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "McAfeeFramework" /y3⤵PID:4964
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "Alerter" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Alerter" /y3⤵PID:4884
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "AcronisAgent" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "AcronisAgent" /y3⤵PID:1352
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Acronis VSS Provider" /y3⤵PID:5004
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "BackupExecAgentAccelerator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y3⤵PID:4532
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "BackupExecDeviceMediaService" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y3⤵PID:3196
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "BackupExecJobEngine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "BackupExecJobEngine" /y3⤵PID:220
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "BackupExecManagementService" /y2⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "BackupExecManagementService" /y3⤵PID:4332
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "BackupExecRPCService" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "BackupExecRPCService" /y3⤵PID:3656
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "BackupExecVSSProvider" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "BackupExecVSSProvider" /y3⤵PID:2100
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "DFSR" /y2⤵PID:4016
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "DFSR" /y3⤵PID:3364
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "EPIntegrationService" /y2⤵PID:1108
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "EPIntegrationService" /y3⤵PID:3624
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "EPProtectedService" /y2⤵PID:4596
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "EPProtectedService" /y3⤵PID:3976
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "EPSecurityService" /y2⤵PID:1400
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "EPSecurityService" /y3⤵PID:4196
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "EPUpdateService" /y2⤵PID:860
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "EPUpdateService" /y3⤵PID:332
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MB3Service" /y2⤵PID:1480
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MB3Service" /y3⤵PID:1200
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MBAMService" /y2⤵PID:1832
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MBAMService" /y3⤵PID:1588
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MBEndpointAgent" /y2⤵PID:2480
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MBEndpointAgent" /y3⤵PID:1924
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeES" /y2⤵PID:3504
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeES" /y3⤵PID:3900
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeMGMT" /y2⤵PID:4984
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeMGMT" /y3⤵PID:4260
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeMTA" /y2⤵PID:528
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeMTA" /y3⤵PID:2332
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeSA" /y2⤵PID:3644
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeSA" /y3⤵PID:3340
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeSRS" /y2⤵PID:1680
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeSRS" /y3⤵PID:3988
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeADTopology" /y2⤵PID:2880
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeADTopology" /y3⤵PID:3968
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeDelivery" /y2⤵PID:2708
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeDelivery" /y3⤵PID:4932
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeDiagnostics" /y2⤵PID:1744
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeDiagnostics" /y3⤵PID:5032
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeEdgeSync" /y2⤵PID:5028
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeEdgeSync" /y3⤵PID:1808
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeHM" /y2⤵PID:4600
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeHM" /y3⤵PID:1056
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeHMRecovery" /y2⤵PID:4820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeHMRecovery" /y3⤵PID:4872
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeIS" /y2⤵PID:1360
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeIS" /y3⤵PID:1864
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeMailboxReplication" /y2⤵PID:2104
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeMailboxReplication" /y3⤵PID:3304
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeRPC" /y2⤵PID:3552
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeRPC" /y3⤵PID:4060
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeRepl" /y2⤵PID:2244
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeRepl" /y3⤵PID:3192
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeServiceHost" /y2⤵PID:232
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeServiceHost" /y3⤵PID:1608
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeTransport" /y2⤵PID:5060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeTransport" /y3⤵PID:3972
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeUM" /y2⤵PID:2072
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeUM" /y3⤵PID:2060
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeUMCR" /y2⤵PID:4456
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeUMCR" /y3⤵PID:3792
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSOLAP$*" /y2⤵PID:984
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSOLAP$*" /y3⤵PID:2836
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y2⤵PID:4568
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLSERVER" /y3⤵PID:1564
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MsDtsServer" /y2⤵PID:2380
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MsDtsServer" /y3⤵PID:3696
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MySQL57" /y2⤵PID:4560
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MySQL57" /y3⤵PID:4868
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "OSearch15" /y2⤵PID:2948
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "OSearch15" /y3⤵PID:1200
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "OracleClientCache80" /y2⤵PID:1476
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "OracleClientCache80" /y3⤵PID:2636
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB25" /y2⤵PID:1584
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB25" /y3⤵PID:4308
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SPAdminV4" /y2⤵PID:1924
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SPAdminV4" /y3⤵PID:4588
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SPSearchHostController" /y2⤵PID:1160
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SPSearchHostController" /y3⤵PID:2248
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SPTraceV4" /y2⤵PID:1512
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SPTraceV4" /y3⤵PID:2424
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SPUserCodeV4" /y2⤵PID:2152
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SPUserCodeV4" /y3⤵PID:536
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SPWriterV4" /y2⤵PID:2112
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SPWriterV4" /y3⤵PID:976
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLBrowser" /y2⤵PID:1736
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLBrowser" /y3⤵PID:1340
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLSafeOLRService" /y2⤵PID:1680
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLSafeOLRService" /y3⤵PID:3968
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y2⤵PID:4044
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLsafe Backup Service" /y3⤵PID:4900
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLSERVERAGENT" /y2⤵PID:4916
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLSERVERAGENT" /y3⤵PID:4960
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLTELEMETRY" /y2⤵PID:5032
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLTELEMETRY" /y3⤵PID:2888
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLBackups" /y2⤵PID:2004
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLBackups" /y3⤵PID:3152
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$*" /y2⤵PID:1948
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$*" /y3⤵PID:4940
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$*" /y2⤵PID:3100
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$*" /y3⤵PID:4820
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSMQ" /y2⤵PID:5036
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSMQ" /y3⤵PID:1116
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "ReportServer" /y2⤵PID:5040
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "ReportServer" /y3⤵PID:3196
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "ReportServer$*" /y2⤵PID:4204
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "ReportServer$*" /y3⤵PID:112
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLWriter" /y2⤵PID:224
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLWriter" /y3⤵PID:4332
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLBackupAgent" /y2⤵PID:2244
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLBackupAgent" /y3⤵PID:1368
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y2⤵PID:232
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec System Recovery" /y3⤵PID:4368
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SyncoveryVSSService" /y2⤵PID:5060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SyncoveryVSSService" /y3⤵PID:2060
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "VeeamBackupSvc" /y2⤵PID:2100
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VeeamBackupSvc" /y3⤵PID:3136
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "VeeamCatalogSvc" /y2⤵PID:3352
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VeeamCatalogSvc" /y3⤵PID:1108
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "VeeamCloudSvc" /y2⤵PID:4340
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VeeamCloudSvc" /y3⤵PID:1920
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "VeeamEndpointBackupSvc" /y2⤵PID:4020
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VeeamEndpointBackupSvc" /y3⤵PID:2724
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "VeeamEnterpriseManagerSvc" /y2⤵PID:4196
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y3⤵PID:1844
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "VeeamMountSvc" /y2⤵PID:644
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VeeamMountSvc" /y3⤵PID:1200
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "VeeamNFSSvc" /y2⤵PID:2716
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VeeamNFSSvc" /y3⤵PID:1588
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "VeeamRESTSvc" /y2⤵PID:540
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VeeamRESTSvc" /y3⤵PID:3144
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "VeeamTransportSvc /y2⤵PID:312
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VeeamTransportSvc /y3⤵PID:2604
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y2⤵PID:2884
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y3⤵PID:2596
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "epag" /y2⤵PID:3900
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "epag" /y3⤵PID:2576
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "epredline" /y2⤵PID:1496
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "epredline" /y3⤵PID:2932
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "mozyprobackup" /y2⤵PID:1836
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "mozyprobackup" /y3⤵PID:3644
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "masvc" /y2⤵PID:2864
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "masvc" /y3⤵PID:4720
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "macmnsvc" /y2⤵PID:3160
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "macmnsvc" /y3⤵PID:2900
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "mfemms" /y2⤵PID:2180
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "mfemms" /y3⤵PID:4932
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "McAfeeDLPAgentService" /y2⤵PID:1240
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "McAfeeDLPAgentService" /y3⤵PID:2972
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "psqlWGE" /y2⤵PID:1652
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "psqlWGE" /y3⤵PID:1684
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "swprv" /y2⤵PID:4908
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "swprv" /y3⤵PID:3000
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "wsbexchange" /y2⤵PID:2580
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wsbexchange" /y3⤵PID:2796
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "WinVNC4" /y2⤵PID:2684
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WinVNC4" /y3⤵PID:4484
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "TMBMServer" /y2⤵PID:4872
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TMBMServer" /y3⤵PID:1360
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "tmccsf" /y2⤵PID:3176
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "tmccsf" /y3⤵PID:2104
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "tmlisten" /y2⤵PID:1916
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "tmlisten" /y3⤵PID:112
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "VSNAPVSS" /y2⤵PID:5068
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSNAPVSS" /y3⤵PID:4332
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "stc_endpt_svc" /y2⤵PID:2224
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "stc_endpt_svc" /y3⤵PID:1368
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "wbengine" /y2⤵PID:4524
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:4368
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "bbagent" /y2⤵PID:3972
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "bbagent" /y3⤵PID:832
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "NasPmService" /y2⤵PID:3756
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "NasPmService" /y3⤵PID:2072
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "BASupportExpressStandaloneService_N_Central" /y2⤵PID:2572
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "BASupportExpressStandaloneService_N_Central" /y3⤵PID:4552
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "BASupportExpressSrvcUpdater_N_Central" /y2⤵PID:372
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "BASupportExpressSrvcUpdater_N_Central" /y3⤵PID:3476
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "hasplms" /y2⤵PID:1120
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "hasplms" /y3⤵PID:1636
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "EqlVss" /y2⤵PID:2044
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "EqlVss" /y3⤵PID:4844
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "EqlReqService" /y2⤵PID:2592
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "EqlReqService" /y3⤵PID:1852
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "RapidRecoveryAgent" /y2⤵PID:2924
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "RapidRecoveryAgent" /y3⤵PID:4308
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "YTBackup" /y2⤵PID:2816
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "YTBackup" /y3⤵PID:2904
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "vhdsvc" /y2⤵PID:2284
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vhdsvc" /y3⤵PID:3280
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "TeamViewer" /y2⤵
- Discovers systems in the same network
PID:1160 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TeamViewer" /y3⤵PID:972
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSOLAP$SQL_2008" /y2⤵PID:5072
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y3⤵PID:1524
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSOLAP$SYSTEM_BGC" /y2⤵PID:1520
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y3⤵PID:792
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSOLAP$TPS" /y2⤵PID:1372
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSOLAP$TPS" /y3⤵PID:4780
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSOLAP$TPSAMA" /y2⤵PID:3472
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y3⤵PID:784
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$BKUPEXEC" /y2⤵PID:3440
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y3⤵PID:4080
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$ECWDB2" /y2⤵PID:1680
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y3⤵PID:1364
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$PRACTICEMGT" /y2⤵PID:4032
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y3⤵PID:4880
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$PRACTTICEBGC" /y2⤵PID:384
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y3⤵PID:4364
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$PROD" /y2⤵PID:1596
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$PROD" /y3⤵PID:3296
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$PROFXENGAGEMENT" /y2⤵PID:1808
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y3⤵PID:1388
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$SBSMONITORING" /y2⤵PID:4940
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y3⤵PID:4272
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$SHAREPOINT" /y2⤵PID:4820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y3⤵PID:4100
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$SOPHOS" /y2⤵PID:3176
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y3⤵PID:112
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$SQL_2008" /y2⤵PID:216
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y3⤵PID:4264
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$SQLEXPRESS" /y2⤵PID:4060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y3⤵PID:1368
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$SYSTEM_BGC" /y2⤵PID:3768
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y3⤵PID:4368
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$TPS" /y2⤵PID:4888
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$TPS" /y3⤵PID:2800
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$TPSAMA" /y2⤵PID:832
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y3⤵PID:3136
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2008R2" /y2⤵PID:5060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y3⤵PID:4992
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$VEEAMSQL2012" /y2⤵PID:2100
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y3⤵PID:3352
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher" /y2⤵PID:4396
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher" /y3⤵PID:3976
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y2⤵PID:4772
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y3⤵PID:4844
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SBSMONITORING" /y2⤵PID:332
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y3⤵PID:3608
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SHAREPOINT" /y2⤵PID:2212
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y3⤵PID:3300
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SQL_2008" /y2⤵PID:3500
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y3⤵PID:5052
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$SYSTEM_BGC" /y2⤵PID:2616
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y3⤵PID:1412
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPS" /y2⤵PID:3280
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y3⤵PID:1924
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLFDLauncher$TPSAMA" /y2⤵PID:3504
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y3⤵PID:520
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLSERVER" /y2⤵PID:1524
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLSERVER" /y3⤵PID:3816
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper" /y2⤵PID:792
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper" /y3⤵PID:5080
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100" /y2⤵PID:4720
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y3⤵PID:1436
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLServerOLAPService" /y2⤵PID:1076
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y3⤵PID:2608
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$BKUPEXEC" /y2⤵PID:4080
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y3⤵PID:1280
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$CITRIX_METAFRAME" /y2⤵PID:1364
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y3⤵PID:1652
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$CXDB" /y2⤵PID:2708
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$CXDB" /y3⤵PID:1744
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$ECWDB2" /y2⤵PID:4580
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y3⤵PID:5108
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEBGC" /y2⤵PID:660
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y3⤵PID:3104
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$PRACTTICEMGT" /y2⤵PID:4484
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y3⤵PID:4872
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$PROD" /y2⤵PID:3100
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PROD" /y3⤵PID:3396
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$PROFXENGAGEMENT" /y2⤵PID:1876
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y3⤵PID:4120
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$SBSMONITORING" /y2⤵PID:720
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y3⤵PID:1544
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$SHAREPOINT" /y2⤵PID:752
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y3⤵PID:2328
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$SOPHOS" /y2⤵PID:4332
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y3⤵PID:1608
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$SQL_2008" /y2⤵PID:224
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y3⤵PID:232
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$SQLEXPRESS" /y2⤵PID:3936
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y3⤵PID:3748
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$SYSTEM_BGC" /y2⤵PID:1504
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y3⤵PID:1108
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$TPS" /y2⤵PID:4552
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$TPS" /y3⤵PID:2076
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$TPSAMA" /y2⤵PID:2572
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y3⤵PID:2724
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2008R2" /y2⤵PID:372
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y3⤵PID:1400
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$VEEAMSQL2012" /y2⤵PID:944
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y3⤵PID:3780
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "ReportServer$SQL_2008" /y2⤵PID:4848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y3⤵PID:2948
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "ReportServer$SYSTEM_BGC" /y2⤵PID:2592
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y3⤵PID:860
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "ReportServer$TPS" /y2⤵PID:2636
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "ReportServer$TPS" /y3⤵PID:2604
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "ReportServer$TPSAMA" /y2⤵PID:2316
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y3⤵PID:3892
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\RANSOM~1\PWNDLO~1.EXE >> NUL2⤵PID:3972
-